xsmmmm 
m mmmm 


r»«\v.V' 


W0 


W:%:f::: 

Mam 


October  2008  $9.00  www.csoo 


IIHI 


LEANER. 

MEANER. 

GREENER. 

Twentieth-century  datacenters  simply  weren’t  built  to  handle  the  demands  of  twenty-first 
century  business.  With  these  hardwired,  high-density  computing  environments,  we’ve  inherited 
inefficiency,  complexity  and  ever-increasing  power  and  cooling  costs.  Businesses  need  a 
new  approach.  IBM’s  New  Enterprise  Data  Center  is  a  vision  for  the  highly  efficient,  greener-by¬ 
design,  business-driven  IT  model  you’ll  need  for  tomorrow.  This  isn’t  some  far-off  theory. 
IBM  is  already  working  with  over  2,000  clients  to  help  make  this  vision  a  reality.  A  greener 
world  starts  with  greener  business.  Greener  business  starts  with  IBM. 

SYSTEMS.  SOFTWARE.  SERVICES.  FOR  A  GREENER  WORLD. 

See  our  Webcast  about  greener  datacenters  at  ibm.com/green/datacenter 


IBM,  the  IBM  logo  and  ibm.com  are  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwt 
Web  at  “Copyright  and  trademark  information"  at  www.ibm.com/legal/copytrade.shtml.  ©  2008  IBM  Corporation.  All  rights  reservjsc^^l 


October  2008  Vol.  7,  No.  8 


Features... 

22  Bay  Watch 

Cover  Story  I  Facilities 

Companies  in  all  industries  struggle  to 
secure  the  sensitive  spot  where  goods 
come  in  and  go  out.  Follow  these  best 
practices  and  sleep  better  tonight. 

By  Lauren  Gibbons  Paul 

28  Progress  Report 

Interview  Security  expert  Stephen 
Flynn  on  Operation  Cargo  Safety  and 
other  initiatives.  By  Joan  Goodchild 

32  Electronic 
Evidence  and  the  CSO 

Legal  Issues  Will  your  company's 
evidence  stand  up  in  court?  Two 
experts  say  CISOs  have  a  critical  role 
to  play-not  just  in  e-discovery  but 
also  in  preservation  and  presentation. 
The  first  step  is  understanding  how 
judges  decide  admissibility  of  elec¬ 
tronic  evidence.  By  Jacques  Francoeur 
and  Steven  Teppler 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  discuss 
protecting  against  electroen¬ 
cephalography  telepathy  (sort 
of),  Olympics  forensic  files 
and  decreased  litigation  costs 
from  document  retention. 

11  Briefing 

■  Patch  management 

■  What  people  steal 

■  Malware  infects  Space 
Station 

■  Kiss  your  WEP  goodbye 
■Torvalds  on  “security  circus” 

■  Security  wisdom  watch 

■  Crackingthe  Charlie  Card 


18  Toolbox 
Security  Central 

Key  tools  for  the  data 
center.  By  Rick  Cook 

36  CSO  View 

Infosecurity  Governance: 
Centralized  Versus 
Distributed 

How  to  build  a  model 
that  works  for  your 
business.  ByAudryAgle 

38  Industry  View 
New  Ways  to  Approach 
Security  in  a  Web  2.0  World 

Web  2.0  technologies  have 
ushered  in  a  new  age  of  secu¬ 
rity  threats.  By  Brian  Foster 

40  Debriefing 

Cleanup  in  Aisle  5 


CSO  (ISSN  1540-904X)  is  published  monthly  except  fora  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.O.  Box  9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copy  right  2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  useorthe  internal  or  personal  use  of  specific  clients  is  granted 
by  CSOfor  users  through  the  Copyright  Clearance  Center,  provided  thatafee  of  $3.50  per  copy  of  thearticle  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers.  MA  01970.  www.copYright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  tocontributed  articles— followed  by  this  symbol:!.  Address  inquiries  to  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  isfreetoqualified  security  executives. 
Toallotherstheone-yearbasicrateis$70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.fundsonly).  Thesingle  copy  price  is$9  to  the  U.S.  and  Canada  and  $15  International.  Please  allow  fourto  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  October  2008 


Cover  photo  by  Veer 


Who  is 

FishNet  Security 

FishNet  Security  is  the  only  nationally 
focused  information  security 
solutions  provider 
with  a  full  suite  of 
professional  services. 


Compliance 
Application  Security 
Security  Assessments 
Identity  &  Access  Management 
Security  Risk  Management 
Incident  Management 
Network  Security 
Data  Security 


iishnet 

n  SECURITY 

www.fishnetsecurity.com 


For  more  information  call  1-888-732-9406. 


[  FROM  THE  EDITOR] 


Show  Time 

Trade  shows  evolve  with 
the  security  field 

I  hit  two  shows  in  September  and  got  a  real 
mind-bending,  yin-yang  sort  of  experience 
(in  addition  to  a  severe  travel  cold  and  way 
too  many  canvas  bags)  for  the  effort. 

First  up  was  our  own  Digital  ID  World 
conference  in  Anaheim.  Identity  manage- 
ment-SAML,  Shibboleth,  directories  active  or 
virtual-that’s  a  technology  show,  right? 

The  next  stop  was  the  ASIS  exposition  in 
Atlanta.  Retractable  barriers,  chemical  detec¬ 
tion  sensors,  badge-management  systems-no 
enterprise  IT  there,  right? 

Wrong  on  both  counts. 

At  DIDW,  there  was  plenty  of  technology  on 
display,  aimed  at  pieces  of  the  ID  management 
puzzle,  large  (the  Microsofts,  Novells,  Oracles 
of  the  world)  and  small  (everything  from 
password-management  software  to  enterprise 
authentication  for  the  Mac).  But  pressed  to 
name  the  biggest  technical  hurdles  facing 
identity  management,  the  keynote  speakers 
echoed  a  consistent  answer:  The  big  chal¬ 
lenges,  they  said,  are  about  establishing  trust. 
There  are  technical  questions,  but  those  are 
manageable.  Identity  management  requires 
tech,  but  it  isn’t  about  tech. 

On  the  other  hand,  at  ASIS,  one  attendee 
reminisced  that  a  mere  half-decade  ago,  it 
really  was  a  show  about  guards  and  gates,  but 
now  the  presence  and  flavor  of  technology 
are  nearly  overwhelming.  IP  video  analyt¬ 
ics,  fraud-detection  software  and  so  on.  The 
so-called  physical  security  show  is  radically 
infused  with  technology. 


Of  course,  this  “techno  or  no-tech” 
dichotomy  is  really  a  MacGuffin,  a  red  herring. 
It  grabs  our  attention  but  isn’t  central  to  the 
real  plot. 

J.M.  Allain,  the  new  president  of  Panasonic 
System  Solutions,  told  me  at  ASIS  that  he  was 
brought  in  specifically  because  his  company, 
historically  focused  on  product  engineering 
pushed  out  to  the  reseller  channel,  wants  to 
amp  up  its  customer  awareness  and  provide 
more  integrated  solutions  that  solve  real  busi¬ 
ness  problems. 

That’s  the  trick  of  it  all,  isn’t  it?  Behind  the 
gee-whiz  curtain-and  I  certainly  enjoyed  that 
gee-whiz  factor  at  both  shows-DIDW  and  ASIS 
and,  hopefully,  every  show  you’ll  attend  this 
year,  are  ultimately  business  shows.  Whatever 
technologies,  processes,  products  or  practices 


you  may  find  at  vendor  booths  or  keynote 
presentations,  it’s  your  job-you,  the  CSO,  the 
customer-to  translate  those  things  into  value 
for  your  organization. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D'Auria 
Editorial  Administrator 
Simone  Levien 
Contributors 

Audry  Agle,  Scott  Berinato,  Rick  Cook, 
Brian  Foster,  Jacques  Francoeur, 
Gregg  Keizer,  Ellen  Messmer, 
Laura  Gibbons  Paul,  Steven  Teppler 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


BPA 

WORLDWIDE" 


4  www.csoonline.com 


October  2008 


Photo  by  Webb  Chappell 


'T h°fc  'J&ifcMS  tin f  mf  (jofaj  <^iU 

S<tn4  fhif  mrly  cwpfaftJi  WKtvrAblpj 4*^. M 


»  Problems  piling  up?  The  crush  of  complicated  legacy  data  centers  —  the  multiple 
platforms,  management  tools,  OSs  —  have  enterprises  at  the  breaking  point.  So 
break  free  with  Juniper  Networks.  Meet  all  your  immediate  and  long-term  initiatives 
through  a  simplified,  sustainable,  scalable  architecture  —  so  your  business  grows, 
not  the  costs  or  risk.  Juniper  Data  Center  Infrastructure  Solutions  consolidate 
platforms  and  remove  complex  layers,  meaning  speedier  service  delivery  and  always- 
on  availability  across  your  extended  enterprise. 

No  more  short-term,  quick-fix  patches.  The  switch  is  on  to  Juniper,  and  to  superior 
agility,  efficiency  and  a  commanding  competitive  edge:  www.juniper.net/datacenter 


Juniper  _ 

‘  ,0\)f 


UoUf 
O  Net 


1.888.  JUNIPER 


[  FROM  THE  PUBLISHER  ] 


The  Evolution 
of  Security 

Over  the  course  of  two  weeks  last  month 
I  spoke  at  or  attended  four  security 
conferences  (the  fall  is  a  busy  event 
season).  I  met  with  hundreds  of  security 
professionals,  dozens  of  CSOs  and  CISOs,  and 
many,  many  security  vendors.  I  did  a  lot  of 
talking.  More  important,  I  did  a  lot  of  listening. 

We’ve  witnessed  a  meltdown  in  the  finan¬ 
cial  markets  that  is  having  a  significant  impact 
on  the  CSO  job  market.  In  fact,  the  tenor  of 
career  conversations  has  been  ratchetting  up 
at  a  frantic  pace  on  Wall  Street  and  beyond. 

In  November  we  have  a  presidential  elec¬ 
tion,  the  outcome  of  which,  in  my  mind  at  least, 
will  have  profound  implications  forthe  United 
States  and,  by  extension,  the  world.  It  will  also 
influence  the  direction  this  nation  takes  as  it 
addresses  the  variety  of  security  concerns  that 
CSO  covers  on  a  regular  basis,  from  regulation 
to  privacy  and  beyond.  It  will  influence  the 
profession  of  security,  good  or  bad,  for  many 
years  to  come. 

Despite  having  these  great  issues  to 
explore,  what  struck  me  most  in  my  travels 
was  how  security  has  changed  from  where 
it  was  more  than  six  years  ago  when  we 
launched  CSO.  Security  has  evolved,  and  it 
has  done  so  at  a  speed  unlike  anything  I  have 
seen  before.  Security  has  gone  from  being 
a  cost  center  that  administered  firewalls  or 
negotiated  guard  service  contracts,  to  become 
an  integral  part  of  the  business.  How  do  I  know 
this?  Because  I  am  now  seeing  IT  automating 
significant  parts  of  security  operations  not 
just  for  information  security  but  for  physical 
security  as  well. 

Let  me  explain:  IT  used  to  be  viewed  as 
strictly  a  cost  center.  In  an  effort  to  prove  its 
value  to  the  business,  CIOs  began  taking  on 
projects  to  help  automate  areas  of  the  busi¬ 
ness  like  finance  and  sales  (hence  the  growth 
of  such  software  powerhouses  as  SAP,  Oracle, 


Siebel  and  more  recently,  Salesforce.)  Their 
ability  to  streamline  operations  and  gain  sig¬ 
nificant  operational  and  financial  efficiencies 
from  those  processes  secured  their  role  as  a 
business  enabler  as  opposed  to  a  cost  center. 
They  didn’t  own  those  businesses  or  processes, 
but  they  applied  technology  to  make  them  bet¬ 
ter  and  then  administered  the  technology. 

For  the  past  few  years  we  have  watched 
IT  take  on  the  daily  management  of  informa¬ 
tion  security  operations  beyond  just  firewalls 
and  provisioning,  which  makes  a  lot  of  sense 
since  IT  was  securing  its  assets,  or  the  assets 
they  were  administering  for  other  arms  of  the 
business  (like  finance,  sales,  HR,  etc.).  But  we 
are  now  seeing  them  take  on  responsibilities 
for  managing  physical  security  systems  like 
access  control  and  video.  Like  the  example 


with  finance,  IT  doesn’t  own  the  video  and 
access  control  systems.  They  bring  knowledge 
of  technology  to  bear,  then  improve  and 
administer  those  systems. 

This  is  a  profound  change  that  proves  that 
you  must  be  doing  something  right.  We’ve 
always  professed  the  importance  of  selling 
the  business  value  of  security.  Here  comes  the 
payoff. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


AlliedBarton  Security  Services. .  7 

IBM  Corp . 

. C2 

Reconnex  Corp . 

. 21 

CXO  Media  Inc . 

. .  10,  31,  39 

(ISC)2 . . . 

. ....  15 

RSA  Security  Inc . 

......  27 

FishNet  Security  Inc.  . 

. 3 

Juniper  Networks  Inc. . . . . 

. 5 

SecureWorks . 

. . 19 

HIDCorp . 

. 13 

Lumension  Security . 

. C3 

Websenselnc . 

..... .C4 

Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 
Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 
Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 
Per  Melker 

Eastern  Regional  Sales  Manager 
Sarah  Moon 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O’Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponeiSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
csoStheygsgroup.com 


6  www.csoonline.com  October  2008 


Photo  by  Christopher  Navin 


mm 


mk 

Meet  Robert. 

m  - 

¥  'Wfcv 

W 

* 

He  manages  the  security 

[f 

team  that  protects 

U 

your  interests. 

i 

S ,  -■- .-  vk  .*  ' 


Robert Capasso 

AlliedBarton  Account  Manager  I  Washington,  DC 


Behind  every  AlliedBarton  security  officer  is  an  account  manager  providing  the 
support  needed  to  get  the  job  done  right.  Committed  to  understanding  each 
customer’s  company,  culture  and  security  needs,  AlliedBarton  account  managers 
like  Robert  Capasso  provide  the  on-site  expertise  and  management  needed  to 
make  sure  security  initiatives  are  implemented  according  to  plan. 

For  more  than  fifty  years,  AlliedBarton  has  been  providing  security  officer  solutions 
where  our  customers  live  and  work.  We  operate  through  over  100  regional  and 
district  offices  to  deliver  the  highest  level  of  security  officers  in  the  United  States. 
Our  local  response  allows  us  to  meet  specific  customer  needs.  Our  national 
support  enables  us  to  create  and  consistently  deliver  with  expertise. 


SECURITY  SERVICES 


Local  Response  National  Support 


We  Do  Our  Job  So  You  Can  Do  Yours. 

See  how  AlliedBarton  provides  local  response  with  our 
account  managers  at  AlliedBarton.com/Manage. 


THE  FIRST  SECURITY  SERVICES  COMPANY 

TOP 

RECOGNIZED  BY  TRAINING  MAGAZINE 

£UU  / 

2008 

*125 

1.866.825.5433  AlliedBarton.com/lVlanage 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonhne.com. 


BLOG  POST 

Firewall  to 
Protect  Against 
Electroenceph¬ 
alography 
Telepathy 

A  team  of  UC  Irvine  scien¬ 
tists  has  been  awarded  a 
$4  million  grant  from  the 
U.S.  Army  Research  Office 
to  study  the  neuroscientific 
and  signal-processing  foundations  of  syn¬ 
thetic  telepathy. 

The  brain-computer  interface  would 
use  a  noninvasive  brain  imaging  technol¬ 
ogy  like  electroencephalography  (the  mea¬ 
surement  of  electrical  activity  produced 
by  the  brain  as  recorded  from  electrodes 
placed  on  the  scalp)  to  let  people  commu¬ 
nicate  thoughts  to  each  other.  For  example, 
a  soldier  would  “think”  a  message  to  be 
transmitted  and  a  computer-based  speech 
recognition  system  would  decode  the  EEG 
signals.  The  decoded  thoughts,  in  essence, 
translated  brain  waves,  are  transmitted 
using  a  system  that  points  in  the  direction 
of  the  intended  target. 

It  starts  with  a  grant  at  a  university; 
the  concept  becomes  real;  it  is  picked  up 
for  further  black  op  research  that  no  one 
knows  has  occurred,  and  before  you  know 
it,  it  is  in  use  at  airports,  sporting  events, 
political  conventions  and  in  boardrooms. 
It  might  be  great  on  a  date  but  that  concept 
leads  to  some  unsavory  ideas.  Could  you 
imagine...? 


I  don’t  think  I  should  be  wearing  one  of 
these  “noninvasive”  brain  imaging  devices 
in  some  of  the  meetings  I  attend.  Could  you 
imagine  the  thoughts  emanating  from  your 
brain  onto  the  screen  projected  on  the  wall 
with  the  LCD? 

In  light  of  the  new  research,  I’m  going 
to  give  Dan  Geer  a  call  at  In-Q-Tel  to  see  if 
I  can  get  funding  for  a  telepathy  firewall 
concept  that  is  organic  in  nature  protecting 
braimvaves  down  to  the  neurons  and  den¬ 
drites  and  provides  synapse  VPN  tunnels 
to  protect  my  thoughts. 

I  wonder  how  access  rights  will  be  man¬ 
aged  here?  Will  there  be  connection  stan¬ 
dards  with  other  VPN  tunnels  and  other 
people?  I’ll  probably  have  to  deploy  some 
out-of-date,  signature-based  antivirus 
solution  to  protect  my  thoughts  but,  could 
you  imagine  the  initial  cleanup  effort  just  to 
get  to  a  steady  state? 

-Jeff Bardin 

BLOG  POST 

Olympics- 
Forensic  Files? 

The  International  Olympic  Com¬ 
mittee  opened  up  an  investi¬ 
gation  into  the  age  of  two  of 
China’s  gold-medal-winning 
Olympic  gymnasts— and  closed 
it  a  day  later,  following  a  security  consul¬ 
tant’s  discovery  of  online  documents  listing 
the  competitors  as  too  young  to  compete. 

Now  I  keep  hoping  this  will  apply  to 
me  and  someone  will  find  out  I  am  actually 
younger  than  I  claim.  Really,  can  just  five  or 
so  years  be  shaved  off?  I  am  not  greedy!  But 


it  does  lead  one  to  wonder  what  all  can  be 
found  out  about  you.  I  know  from  my  case 
it  has  been  easy  to  locate  the  following  on 
computer  hard  drives: 

■  Social  security  numbers 

■  Addresses 

■  Resumes 

■  Family  photos  (not  that  I  usually  care). 

And  everything  else.  So  why  can’t  some¬ 
one  find  my  age  to  be  five  years  younger? 

-Kris  Haworth 


China’s  gymnastics  team  members  pose  with  their 
gold  medals  after  the  women’s  team  final  competi¬ 
tion  at  the  Beijing  2008  Olympics. 


8  www.csoonline.com  October  2008 


Photo  by  AP/Amy  Sancetta 


BLOG  POST 

Document 
Retention 
Policies  May 
Decrease 
Litigation  Costs 


Most  businesses  have 
retention  policies  gov¬ 
erning  how  long  docu¬ 
ments  are  to  be  retained 
before  being  destroyed 

or  discarded. 

A  growing  number  of  businesses  are 
extending  their  existing  retention  poli¬ 
cies  to  include  electronic  documents,  par¬ 
ticularly  e-mail.  For  example,  a  common 
retention  policy  for  e-mail  would  require 
deletion  after  60  days. 

In  many  instances,  the  deletion  is 
accomplished  automatically  by  program¬ 
ming  the  business’s  computers  to  review 
the  dates  on  e-mail  and  to  delete  those 
messages  having  dates  beyond  the  allowed 
limit.  If  an  employee  desires  to  retain  a  mes¬ 


sage  past  the  automatic  deletion  date,  she 
must  take  affirmative  action  to  preserve 
the  e-mail  (for  example,  contact  the  MIS 
department  or  copy  the  e-mail  to  a  special 
directory). 

In  the  absence  of  a  law  specifically 
requiring  certain  documents  to  be  retained 
or  if  the  owner  of  the  documents  is  on  notice 
of  a  pending  or  threatened  claim,  document 
retention  policies  in  the  electronic  context 
accomplish  three  goals: 

*  Document  retention  policies  conserve 
valuable  computer  storage  space. 

*  Reducing  the  volume  of  stored  elec¬ 
tronic  documents  improves  the  efficiency 
of  the  computer  system. 

*  Provided  there  is  no  legal  obligation  to 
preserve  evidence,  deleting  electronic  doc¬ 
uments  when  they  are  no  longer  necessary 
reduces  the  likelihood  that  such  documents 
may  be  exploited  in  future  litigation. 

Because  of  the  informality  with  which 
e-mail  is  treated  by  employees,  it  is  a  fre¬ 
quent  target  of  discovery  in  litigation.  As 
illustrated  in  the  following  example,  failing 
to  implement  an  effective  retention  policy 
for  e-mail  can  substantially  increase  litiga¬ 
tion  costs  and  lead  to  greater  liability. 

XYZ  corporation  is  sued  by  one  of  its 
employees  for  wrongful  termination.  Dur¬ 
ing  the  course  of  discovery,  the  plaintiff 
serves  a  document  request  seeking  all  rel¬ 
evant  e-mail.  If  the  business  does  riot  have  a 
practice  of  periodically  deleting  e-mail  that 
was  of  no  reasonable  value  after  some  rele¬ 
vant  period,  it  would  be  under  an  obligation 
to  search  through  all  of  the  e-mail  on  its  sys¬ 
tems.  This  could  mean  reviewing  an  enor¬ 
mous  volume  of  e-mail  accumulated  over 
many  years.  If  XYZ  is  like  most  companies, 
it  not  only  does  not  have  an  established 
retention  policy  for  electronic  documents, 
it  also  has  no  policy  requiring  where  e-mail 
messages  are  to  be  stored  on  its  systems. 
This  means  that  instead  of  requiring  that 
all  e-mail  be  stored  in  a  specific  place,  mes¬ 
sages  may  be  found  in  a  variety  of  locations. 
As  such,  the  search  for  relevant  messages 
will  likely  require  a  review  of  the  local  area 
network’s  hard  disks,  network  backup 
tapes,  the  hard  disks  installed  in  relevant 
employees’  desktop  computers,  company 
laptop  computers,  handheld  PDAs  and  the 
home  computers  of  certain  employees. 

A  search  of  the  foregoing  nature  can 
cost  thousands  of  dollars  and  take  substan- 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 

508  988-7994 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@thevgsgroup.com 


tial  time  to  complete.  If  the  company  had  a 
retention  policy  in  effect  and  had  required 
e-mail  to  be  stored  in  a  central  location, 
the  expense  and  time  required  to  respond 
to  the  discovery  request  would  be  signifi¬ 
cantly  reduced. 

Next  time,  we  will  talk  about  some  of 
the  basic  elements  of  a  document  retention 
policy.  -Michael  Overly 


More  on  the  Web 

Check  out  blogsXSOonline 
.com  to  see  what  our  team  of 
guest-bloggers  is  saying  about 
the  big  security  issues  of  the 
day. 


October  2008  www.csoonline.com  9 


CONTINUITY^ 

&  RISK  MANAGEMENT 


THANK  YOU  TO 
OUR  SPONSORS 


- 


‘iilir. 


‘  IPSi 


*•  iXWM4 
y?wm0M 
,  mm 


mm i 


Alcatel-Lucent 


MessageOne 


Stratus 

Technologies 


.  j;- . 
s 

p  fpX'  .  ■ 

$»  :  i.  '  Tj. 


Underwriter 

E3'  ProCurve 

Networking  by  HP 


Platinum 


Symantec. 


Gold 

#  Hitachi  Data  Systems 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected* 


©MIR3 

Intelligent  Notification 

•  webex 


Partners 

Linked [Q.  ovation 


BUSINESS  TECHNOLOGY  LEADERSHIP 


cso 


BUSINESS  RISK  LEADERSHIP 


Both  camps  are  whoring  themselves  out  for  their  own  reasons. 

page  16 


99 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner 


senior  security  consultant  for  BT  Professional 
Services,  that  “you’ve  got  zero  day  threats  and 
you’re  working  behind  the  clock.” 

However  there’s  a  big  difference  between 
taking,  say,  two  weeks  to  patch  a  system 
because  you’re  testing  the  patch  and  the  six 
months  in  the  Verizon  report. 

The  first  step  in  patch  management, 
then,  is  inventory  management.  You  need  a 
complete  inventory  of  all  the  systems  on  your 
network. 

In  all  but  the  smallest  companies,  that  usu¬ 
ally  requires  an  inventory  program  that  can 
examine  what’s  actually  on  the  network  and 
give  you  a  comprehensive  report. 

Beyond  inventory,  the  next  step  is  having  a 
process  to  install  and  manage  patches,  backed 
by  the  appropriate  software. 

“There’s  no  shortage  of  software  tools  that 
can  do  the  job,”  says  Rothke.  “It  comes  down 
to  having  processes  in  place  to  deal  with  all 
that.”  -Rick  Cook 


The  bad  guys  have  an  easy 
target  in  those  who  don’t 
deploy  long-available  patches 


According  to  a  recent  estimate  from  Veri¬ 
zon,  90  percent  of  successful  exploits 
these  days  involve  vulnerabilities  for 
which  a  patch  has  been  available  for  six 
months  or  longer. 

“For  the  overwhelming  majority  of  attacks 
exploiting  known  vulnerabilities,  the  patch 
had  been  available  for  months  prior  to  the 
breach,”  Verizon  says  on  page  15  of  its  2008 
Data  Breach  Investigations  Report  (www 
.verizonbusiness.com/resources/security/ 
databreachreport.pdf).  “Also  worthy  of 
mention  is  that  no  breaches  were  caused  by 
exploits  of  vulnerabilities  patched  within  a 
month  or  less  of  the  attack.” 

This  strongly  suggests  that  a  patch- 
deployment  strategy  focusing  on 
coverage  and  consistency  is  far 
more  effective  at  preventing 
data  breaches  than  “fire  drills” 
attempting  to  patch  particular 
systems  as  soon  as  patches  are 
released,  the  report  says. 

The  bad  guys  know  a  lot  of  companies  are 
slow  to  patch,  and  so  they  continue  to  cook  up 
exploits  for  the  older  vulnerabilities,  experts 
say. 

In  fact,  security  experts  say,  worms  like 
Blaster  and  Sasser-launched  four  to  five  years 
ago  against  vulnerabilities  for  which  patches 
were  made  available  around  the  same  period- 


are  still  in  wide  circulation  today, 

“You  might  have  99  out  of  100  machines 
fully  patched,  but  all  it  takes  is  one  machine 
missing  one  patch,”  says  Eric  Schultze,  chief 
technology  officer  for  Shavlik  Technologies,  a 
Roseville,  Minn.,  maker  of  patch  management 
software.  “The  administrator  has  to  patch 
100  percent  of  things,  whereas  the  hacker 
m  only  has  to  hope  that  only  99 
nffiKnBSSmX?  percent  got  patched.” 

The  problem  isn’t  neces¬ 
sarily  one  of  laziness.  One  of 
the  problems,  Schultze  says,  is 
hidden  machines. 

“There  are  some  percentage  of  machines 
the  company  simply  doesn’t  know  it  has,” 
Schultze  says.  “It  could  be  a  rogue  server 
sitting  under  someone’s  desk,  it  could  be  a 
virtual  machine  up  and  running  no  one  knows 
exists.  If  you  don’t  know  a  machine  exists,  it’s 
probably  not  going  to  get  patched.” 

That  means,  according  to  Ben  Rothke, 


Tgfreat 

Watch 


Does  Patch 
Management 
Need  Patching? 


Photo  by  Veer 


October  2008  www.csoonline.com  11 


PHYSICAL  SECURITY 

RECESSION  WOES: 
WHAT  PEOPLE  STEAL 

With  online  thievery  all  the  rage  these  days,  it’s  easy  to  forget  that 
security  pros  are  still  dealing  with  people  who  steal  the  old-fash¬ 
ioned  way. 

As  the  economy  sinks  under  the  weight  of  high  gas  prices  and  a  busted  mort¬ 
gage  market,  security  pros  are  seeing  a  spike  in  old-school  thievery,  be  it  employ¬ 
ees  pocketing  cash  from  the  register,  customers  stuffing  gold  watches  into  their 
coats  or  thieves  making  off  with  copper  and  other  metals  from  industrial  sites. 

The  trend  is  hardly  surprising  in  tough  economic  times.  But  experts  say  it 
illustrates  the  need  for  companies  to  approach  online  and  physical  security  as 
one  big  challenge  instead  of  as  separate  entities,  and  minimize  losses  by  ensur¬ 
ing  that  staffing  levels  are  adequate. 

“It’s  typical  for  short-sighted  retailers  to  cut  staff  when  sales  fall,  but  this  cre¬ 
ates  opportunity  for  shoplifters  and  motivates  disgruntled  employees  to  steal,” 
says  Chris  E.  McGoey,  a  security  consultant  who  maintains  the  Crime  Doctor 
website  and  specializes  in  loss-prevention  strategies. 

During  economic  downturns,  opportunistic  theft  increases  along  with 
organized  retail  crime,  says  Brad  Brekke,  vice  president  of  assets  protection  for 
the  Minneapolis-based  Target  retail  chain.  “We  may  see  an  increase  in  everyday 
necessity  items  being  stolen,  as  well  as  popular  items  that  are  easily  converted 
into  cash,”  he  says,  declining  to  list  the  specific  items. 

Beyond  the  retail  environment,  recession-related  theft  is  also  on  the  climb 
in  and  around  industrial  and  infrastructure  sites.  In  the  best  of  times,  copper 
is  a  particularly  tempting  target  because  of  its  high  value.  The  appetite  among 
thieves  has  only  gotten  worse  as  the  economy  tanks,  if  the  situation  at  New 
Jersey-based  PSE&G  (Public  Service  Electric  &  Gas)  is  any  indication.  Jeffrey  Her¬ 
bert,  PSE&G’s  enterprise  security  command  center  coordinator,  acknowledges 
that  copper  thieves  have  become  more  brazen  in  recent  months.  They’re  willing 
to  climb  fences  and  utility  poles,  tearing  and  cutting  the  copper  clean  off  them, 
then  selling  it  on  the  black  market. 

Whether  the  problem  is  metal  theft  or  retail  shoplifting,  security  experts 
offer  the  same  advice:  Companies  should  have  a  layered  security  program  that 
mixes  employee  awareness  and  training  with  technology,  in  this  case,  the  cam¬ 
eras.  Above  all,  companies  should  resist  the  temptation  to  cut  security  staff  when 
profits  slip.  -Bill  Brenner 


>>  BRIEFING 


FROM  CYBERSPACE  TO  OUTER  SPACE 

Malware  Infects 
Space  Station 
Laptops 

Malware  recently  managed  to  get  off  the 
planet  and  onto  the  International  Space 
Station  (ISS),  and  it  wasn’t  a  first. 

The  attack  code,  which  space  news  site 
SpaceRef.com  identified  as  “W32.Gammima.AG,” 
infected  at  least  one  of  the  laptops  used  on  the 
station  over  the  summer. 

The  first  public  report  of  malware  about  the 
ISS  was  logged  on  Aug.  11.  In  NASA’s  daily  status 
report  on  the  station,  the  agency  said  that  Sergey 
Volkov,  the  ISS  commander,  was  “working  on  the 
Russian  RSS-2  laptop"  and  “ran  digital  photo  flash 
cards  from  stowage  through  a  virus  check  with  the 
Norton  Antivirus  application.” 


A  week  later,  on  Aug.  21,  Volkov  “checked 
another  Russian  laptop,  today  RSK-1,  for  software 
viruses  by  scanning  its  hard  drives  and  a  photo  disk.” 

The  next  day,  Volkov  transmitted  antivirus 
scanning  results  from  the  laptop  to  Earth,  and  U.S. 
astronaut  Greg  Chamitoff  scanned  another  com¬ 
puter  for  possible  infection.  NASA  also  said  that  all 
laptops  on  board  the  ISS  were  being  loaded  with 
antivirus  software. 

W32.Gammima.AG-the  name  that  Symantec, 
maker  of  Norton  Antivirus,  gave  the  malware-is 
a  year-old  Windows  worm  designed  to  steal  infor¬ 
mation  from  players  of  10  different  online  games, 
some  of  them  specific  to  the  Chinese  market. 
Among  the  games:  ZhengTu,  HuangYi  Online  and 
Rohan. 

The  worm  also  plants  a  rootkit  on  the  infected 
system  and  transmits  hijacked  data  to  a  remote 
server. 

It  was  never  a  threat  to  any  command-and- 
control  or  operations  computer,  NASA  insists. 

- Gregg  Keizer 


12  www.csoonline.com  October  2008 


Top  photo  by  Veer;  Bottom  courtesy  NASA 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers  and  connecting  easily 
with  a  network  cable  to  each  door.  Simple  to  install  and  administrate, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 
And,  of  course,  you  also  get  the  security,  reliability  and  support  that  have 
made  us  the  top  name  in  physical  access  control.  EDGE  from  HID.  It’s  a 

E 

natural  move  for  the  network.  We  call  it  bringing  intelligence  to  the  door.  8 

"n3 

_Q 

_o 

tXO 

X> 


ACCESS  intelligence. 


HBD  Global,  the  world  leader  in  access  control, 
brings  you  EDGE™-  efficient  and  trouble-free 
IP-based  solutions  to  extend  the  network  to 
your  company’s  doors. 


You  know 
access  points. 
Gateways. 
Portals. 

Doors  are 


>>  BRIEFING 


DATA  PROTECTION 

PCI  Council  to  Merchants:  Kiss  Your  WEP  Goodbye 

Bob  Russo  of  the  PCI  Security  Standards  Council  explains  why  ending  WEP  is  critical 


The  security-savvy  know  WEP  is  full  of  holes  and  shouldn’t  be  used. 
But  that’s  not  stopping  some  merchants  from  using  it. 

As  a  result,  the  PCI  Security  Standards  Council  is  mandating 
its  eradication  in  the  next  two  years.  The  first  step  toward  that  is 
some  fresh  language  on  wireless  security  in  the  latest  version  of  the  PCI 
Data  Security  Standard  (PCI  DSS). 

The  council  just  recently  launched  PCI  DSS  version  1.2.  Among  other 
things,  it  removes  references  to  WEP  security  and  instead  pushes  orga¬ 
nizations  to  use  stronger  forms  of  wireless  network  encryption. 

New  WEP  deployments  won’t  be  allowed  after  March  31, 2009,  and 
current  implementations  must  stop  using  WEP  after  June  30, 2010. 

In  this  Q&A,  PCI  Security  Standards  Council  General  Manager  Bob 
Russo  explains  the  reasoning  behind  the  move,  as  well  as  other  changes 
inversion  1.2. 

CSO:  What  will  people  notice  the  most  about  version  1.2? 

Bob  Russo:  I  think  the  top  of  mind  here  should  be 
clarity-making  sure  people  understand  specifically  what 
the  intent  [of  the  standard]  is.  This  is  the  culmination  of  two 
years  of  feedback  the  council  has  received.  We’ve  clarified 
specifics  as  to  what  needs  to  be  secured.  In  some  instances 
we’ve  had  to  put  a  line  in  the  sand  and  let  people  under¬ 
stand  we’re  moving  away  from  some  things  at  some  point. 

Give  an  example  of  that. 

Wireless  is  a  major  area.  We’ve  had  to  make  some 


PCI  DSS  VERSION 
1.2  INCLUDES 
NEW  LANGUAGE 
MANDATING  THAT 

■  Companies  move 
away  from  WEP 


BUHIII 


wireless  networks 
Flexibility  be  given 
to  some  companies 
regarding  patch 
management  cycles 
Security  at  offsite 
storage  facilities 
be  inspected  at 
I  east  once  a  year 


source:  pci  Security  Council 


specific  clarifications  and  let  people  know  we  are  eventually  moving 
away  from  WEP.  We  need  to  let  people  know  there  are  other  technolo¬ 
gies  available  and  that  it’s  time  we  moved  on  to  some  of  those  new 
technologies. 

What’s  the  timetable  for  no  longer  allowing  anything  with 
WEP? 

I  don’t  think  you  can  draw  absolutes.  There  are  always  exceptions  to 
the  rules.  But  what  we’ve  stated  in  the  summary  is,  no  more  new  imple¬ 
mentations  of  WEP  after  March  31, 2009,  and  the  current  implementa¬ 
tions  have  to  stop  by  the  end  of  June  2010.  There  will  always  be  issues, 
and  we’ll  need  to  move  slowly  and  deal  with  problems  on  a  case-by-case 
basis.  But  we  need  to  let  people  know  we  are  moving  away  from  WEP. 

Talk  about  some  of  the  other  aspects  of  the  standard  where 
people  have  clamored  for  better  clarity. 

One  area  that  rose  to  the  top  was  patch  management  and  the  need 
for  installing  patches  within  30  days.  In  a 
large  enterprise  sometimes  that  may  not 
be  possible  because  of  testing  proce¬ 
dures.  In  some  cases,  based  on  the  risk 
of  the  specific  patch,  the  effect  may  not 
be  so  great.  But  if  it’s  a  critical  patch  for  a 
big  gaping  hole,  you  don’t  want  to  delay 
getting  that  in  because  there’s  a  huge 
vulnerability  there.  In  those  instances  30 
days  or  sooner  is  prudent  on  the  part 
of  the  merchant.  But  there  are  others 
that  require  a  longer  testing  plan,  so 
we  offer  some  flexibility  there.  If  you 
take  a  risk-based  approach,  depend¬ 
ing  on  what  the  patch  is,  we  would 
allow  longer  than  30  days. 

when  can  the  industry  expect 
the  next  PCI  DSS  update? 

Generally  we  work  on  a  two-year 
lifecycle.  What  you’re  seeing  now 
[with  version  1.2]  is  the  culmination  of 
a  year  and  a  half  to  two  years’  worth 
of  feedback  and  input.  And  this  is  only 
a  summary  of  changes.  We’re  still 
tweaking  this,  and  there  will  be  more 
meat  by  the  time  this  is  released  in 
early  October. 

In  the  big  picture,  are  most 
merchants  doing  what  they  really 
need  to  be  doing  to  meet  this 
standard? 

I  think  most  people  are  using 
the  standard  as  a  springboard  to  get 
secure  not  just  with  credit  card  data 
butfortheentireenterprise.  -B.B. 


14  www.csoonline.com  October  2008 


Photo  by  istockphoto.com 


In  this  black  and  white  world  of  infosecurrty, 
there’s  still  one  company  that’s  measured  by  the  intangible: 


60,000  members  worldwide. 

20  years  of  experience  in  information  security. 

6  ANSI/ISO/IEC  Standard  17024  accredited  certifications  programs. 

1  globally  accepted  Code  of  Ethics. 

And  an  uncommon  goal  toward  professionalism,  dedication  and  perseverance. 


Add  integrity  to  your  resume  with  (ISC)2®  certifications. 

www.isc2.org/integrity 


(ISC)1' 

SECURITY  TRANSCENDS  TECHNOLOGY® 


>>  BRIEFING 


TORVALDS: 
FED  UP 
WITH  THE 
“SECURITY 
CIRCUS” 

Linus  Torvalds,  creator  of  the  Linux 
kernel,  says  he’s  fed  up  with  what  he 
sees  as  a  “security  circus”  surrounding 
software  vulnerabilities  and  how  they’re 
hyped  by  security  people. 

In  a  recent  online  posting,  he  wrote,  “One 
reason  I  refuse  to  bother  with  the  whole 
security  circus  is  that  I  think  it  glorifies-and 
thus  encourages-the  wrong  behavior.  It 
makes  ‘heroes’  out  of  security  people,  as  if 
the  people  who  don’t  just  fix  normal  bugs 
aren’t  as  important.  In  fact,  all  the  boring 
normal  bugs  are  way  more  important,  just 
because  there's  a  lot  more  of  them.” 

Never  one  to  mince  words,  Torvalds 
also  lobbed  a  verbal  charge  at  the  OpenBSD 
community: 

“I  think  the  OpenBSD 
crowd  is  a  bunch  of  [egotisti¬ 
cal]  monkeys,  in  that  they 
make  such  a  big  deal  about 
concentrating  on  security  to 
the  point  where  they  pretty 
much  admit  that  nothing 
else  matters  to  them.” 

Too  often,  he  says, 
so-called  “security”  is  split 
into  two  camps:  one  that 
believes  in  nondisclosure 
of  problems  by  hiding 
knowledge  until  a  bug  is 
fixed,  and  one  that  “revels 
in  exposing  vendor  security 
holes  because  they  see  that 
as  just  another  proof  that 
the  vendors  are  corrupt  and 
crap,  which,  admittedly, 
most  are.” 

Torvalds  went  on  to  say 
he  views  both  groups  as 
“crazy.” 

“Both  camps  are  whoring 
themselves  out  for  their  own 
reasons,  and  both  camps 
point  fingers  at  each  other 


as  a  way  to  cement  their  own  reason  for 
existence,”  Torvalds  asserts.  He  says  a  lot  of 
activity  in  both  stems  from  public-relations 
posturing. 

He  says  neither  group  is  absolutely  right 
in  any  event,  and  that  a  middle  course,  based 


on  fixing  things  as  early  as  possible  without 
a  lot  of  hype,  is  preferable. 

“You  need  to  fix  things  early,  and  that 
requires  a  certain  level  of  disclosure  for  the 
developers,”  Torvalds  states,  adding,  “You 
also  don’t  need  to  make  a  big  production  out 
of  it.” 

Torvalds  also  says  he  doesn’t  care  for 
labeling  updates  and  changes  to  Linux  as  a 
security  fix  in  a  security  advisory. 

“What  does  the  whole  security  labeling 
give  you?  Except  for  more  fodder  for  either 
of  the  PR  camps  that  I  obviously  think  are 
both  idiots  pushing  for  their  own  agenda,” 
Torvalds  says.  “It  just  perpetrates  that  whole 
false  mind-set”  and  is  a  waste  of  resources, 
he  says. 

It’s  better  to  avoid  sticking  solely  to 
either  “full  and  immediate  disclosure”  or 
ignoring  bugs  that  might  embarrass  vendors, 
he  points  out. 

“Any  situation  that  allows  the  vendor  to 
sit  on  the  bug  for  weeks  or  months  is  unac¬ 
ceptable,  as  is  any  situation  that  makes  it 
harder  for  people  who  find  problems  to  talk 
to  technical  people,”  he  says. 

-Ellen  Messmer 


Good  and  Bad 
in  the  Security 
Researcher  Circus 

Linux  kernel  creator  Linus Torvalds’s  frustration 
over  the  “security  circus”  surrounding  soft¬ 
ware  vulnerabilities  is  understandable 
but  not  entirely  on  the  mark. 

I’ve  long  believed  that  a  lot  of 
useless  noise  surrounds  the  flaw 
disclosure  culture  and  that  the 
findings  very  rarely  meet  dooms¬ 
day  expectations.  In  fact,  the 
hype  often  distracts  people  from 
much  bigger  security  problems. 

And  there’s  no  doubt  the  security 
research  community  has  become 
something  of  a  dub,  especially  since  the 
explosion  of  online  social  networking. 

Go  to  a  conference  like  Black  Hat  and  the 
atmosphere  resembles  a  club  reunion.  A  lot  of 
researchers  are  like  rock  stars.  Many  of  them  blog 


and  can  be  found  all  over  Linkedln.  Reporters  love 
to  be  around  them. 

Sometimes  there’s  infighting  over  whether 
somebody  is  too  slow  or  too  eager  to  make  a 
discovery  public.  When  one  researcher  finds  a  big 
flaw,  everyone  wants  to  play  with  it  and  cook  up  his 
own  exploit  code,  as  the  recent  DNS  (domain  name 
system)  saga  clearly  demonstrates. 

Meanwhile,  I’ve  chatted  with  many  a  security 
administrator  who’s  failed  to  understand  the 
media  hype  that  often  swirls  around  the 
latest  big  flaw. 

As  one  trusted  source  told  me, 
such  hoopla  can  blind  people  to  a 
much  bigger  problem:  company 
networks  that  are  so  carelessly 
configured  and  maintained  that 
attackers  can  drive  a  virtual  truck 
through  them  without  anyone 
noticing. 

In  the  final  analysis,  security  profes¬ 
sionals  should  be  able  to  pay  attention  to  flaw 
reports,  separate  the  hype  from  the  issues  worth 
addressing  and  act  accordingly. 

-B.fi. 


16  www.csoonline.com  October  2008 


SECURITY 

WISDOM 

WATCH 


here  has  been  plenty  of  security 
news  to  cheer  in  recent  weeks, 
along  with  plenty  to  jeer.  Here’s  a 
look  around  the  horn: 


MIT  students:  Hats  off  to  the 
three  MIT  student  research¬ 
ers  who  found  a  potentially 
dangerous  flaw  in  the  ticketing 
system  used  by  the  Massachu¬ 
setts  transit  authority. 

MBTA:  The  managers  of 
Boston’s  subway  system 
should  have  thanked  the  MIT 
students  for  flagging  such  a 
big  flaw.  Instead,  they  tried  to  put 
a  gag  over  the  students’  mouths.  Fortu¬ 
nately,  the  move  failed. 

PCI  DSS  Council:  Finally, 
someone  is  going  to  force 
retailers  to  stay  away  from 
WEP. 

Infected  space  station 
laptops:  In  space,  no  one  can 
hear  your  laptop  crash. 

New  laptop  bags:  Who  can 

argue  about  not  having  to 
take  the  laptop  out  of  the  bag 
during  check-in  at  the  airport? 
But  will  the  bags  be  stylish 
enough  to  sell? 

Apple:  The  company  finally 
fixes  the  DNS  flaw,  but  its 
security  process  remains 
woefully  short  on  detail  and 
adequate  customer  service. 

DHS:  The  agency  has  had  so 
much  trouble  developing  a 
cybersecurity  plan  that  the 
Center  for  Strategic  and  Inter¬ 
national  Studies’  cybersecurity 
commission  wants  it  off  the  case. 

-B.B. 


DATA  INSECURITY 

CRACKING 
THE  CHARLIE 
CARD 

One  of  the  MIT  students  who  found  gap¬ 
ing  holes  in  the  Massachusetts  transit 
authority’s  ticketing  system  is  speaking. 
Zack  Anderson  was  one  of  three  MIT 
students  who  caused  a  stir  over  the  summer 
when  they  decided  to  disclose  flaws  they’d 
discovered  in  the  transit  authority’s  “Charlie 
Card”  fare  system. 

Anderson,  Russell 
“RJ”  Ryan  and  Alessandro 
Chiesa  planned  to  show  off 
their  findings  at  the  Defcon 
hacker  conference  in  August, 
prompting  the  Massachusetts 
Bay  Transportation  Authority 
(MBTA)  to  seek  a  temporary 
gag  order  until  the  problems 
could  be  fixed. 

A  U.S.  District  Court 

judge  eventually  dissolved  the  gag  order,  but 
the  incident  rekindled  debate  over  whether 
flaws  should  be  publicly  disclosed  before  the 
affected  vendor  has  a  chance  to  fix  them. 

Anderson  recently  opened  up  about  the 
affair  in  an  interview  with  CSO. 

He  says  the  hacking  started  as  a  class 
project.  "We  wanted  to  do  a  security  analysis 
of  an  important  system  which,  if  the  security 
were  compromised,  could  lead  to  a  number  of 
issues,”  he  says.  “We  settled  on  subway  fare 
collection  systems  and  saw  that  the  system 
integrator  that  makes  Boston’s  fare  collection 
system  also  makes  collection  systems  around 
the  world.  We  figured  that  if  we  were  to  find 
vulnerabilities  in  the  Boston  system  they  might 
well  apply  to  others.” 

He  says  he  and  his  peers  were  stunned 


“We  wanted  to 
do  a  security 
analysis  of  an 
important  system 
which,  if  the 
security  were 
compromised, 
could  lead  to  a 
number  of  issues/’ 
-Zack  Anderson 


over  the  MBTA’s  response,  but  that  they  have 
no  regrets.  They  feel  the  flaw  exposure  was 
necessary. 

“What  was  most  surprising  was  the  fact 
that  they  already  have  a  lot  of  infrastructure  in 
place  to  build  a  much  more  secure  system  but 
they  don’t  have  the  software  to  leverage  that 
hardware,”  Anderson  says. 

But  he  admits  the  process  could  have  been 
better  handled. 

“Responsible  disclosure  implies  you’re  not 
going  to  create  havoc  for  the  vendor 
who  legitimately  wants  to  fix  the  problem 
but  doesn’t  necessarily  have  the  time.  You 
want  to  give  the  vendor  some  time,”  he  says. 

“In  our  case,  we  gave  them  a 
little  time  but  probably  not 
enough  for  the  fixes  they 
needed  to  do.  But  the  key 
point  for  us  was  that  in 
our  presentation  we  were 
going  to  leave  out  a  few 
major  details  so  someone 
couldn’t  go  defraud  the 
MBTA.  On  that  basis,  we  felt 
that  what  we  were  doing  was 
responsible  disclosure.  The 
key  is  to  maintain  a  level  of  trust  from  the 
beginning,  and  I  think  that’s  where  it  went 
wrong  for  us.” 

His  advice  to  other  researchers  so  that 
they  might  be  able  to  avoid  the  situation  he 
found  himself  in? 

“One  key  point  is  that  you  need  to  maintain 
a  trust  relationship  with  the  vendor  from  the 
beginning,”  he  says.  “Contacting  the  vendor 
before  even  a  vague  public  mention  is  pretty 
important.  You  want  to  speak  to  someone  at 
the  top.” 

The  bottom-up  approach  is  not  good 
because  you  can  speak  to  someone  who  is  fine 
with  what  you’re  showing  them  and  will  sign 
off  on  it,  but  that  doesn’t  mean  everyone’s 
goingto  be  fine  with  it,  he  says. 

-B.B. 


Photo  by  iStockphoto.com 


October  2008  www.csoonline.com  17 


By  Rick  Cook 


Security  Central 

Endpoint  technologies  and  virtualization  software  get  a 
lot  of  ink  these  days,  but  here’s  a  quick  look  at  five  other 
key  security  areas  addressed  by  data-center  tools 


Protecting  a  corporate  data  cen¬ 
ter  is  like  trying  to  keep  an  ele¬ 
phant  safe  from  a  swarm  of  flies. 
Despite  your  best  efforts,  bites 
happen.  As  the  staples  of  secu¬ 
rity-such  as  firewalls,  antivirus  software, 
spam  and  spyware  filters— come  together 
in  suites  of  products  that  allow  for  sophisti¬ 
cated  management,  there  are  other  security 
tools  either  emerging  or  worth  a  rethink. 

Don’t  Get  Logrolled 

One  of  the  biggest  problems  CSOs  face  is  fig¬ 
uring  out  what’s  actually  threatening  their 
data  center.  Antivirus  software,  firewalls 
and  intrusion-detection  systems  can  log 
massive  amounts  of  data  about  who  is  trying 
to  do  what  to  your  data  center.  Just  tracking 
it  across  different  software  programs— and 
across  departmental  systems— presents  a 
vexing  challenge,  says  James  Quin,  senior 
research  analyst  for  the  Info-Tech  Research 
Group  of  London,  Ontario. 

“For  organizations  to  parse  through 
and  then  correlate  and  cross-reference  all 
that  data  is  a  ridiculous  amount  of  work 
and  very  labor-intensive,”  Quin  says.  He 
recommends  log  analyzers,  also  known  as 
security  information  managers  (SIMs)  and 
security  information  and  event  manag¬ 
ers  (SIEMs),  that  can  aggregate  data  from 
a  variety  of  systems.  Such  tools  allow  for 
centralized  correlation  and  management  of 
logs,  and  usually  come  with  reporting  and 


analytics  tools. 

ArcSight  is  an  example  of  such  a  tool 
that  would  work  best  for  businesses  that 
track  large  quantities  of  log  data  or  want 
lots  of  features. 

ArcSight  is  kind  of  a  “Swiss  army  knife 
for  logs,”  says  Dennis  Hein,  senior  infor¬ 
mation  security  engineer  with  Wells  Fargo 
in  San  Francisco.  He  uses  the  product  to 


meld  together  all  the  bank’s  system  logs 
into  one  place.  This  saves  him  from  track¬ 
ing  down  anomalies,  he  says.  “Things  that 
would  take  days  to  investigate  we  can  do  in 
a  matter  of  minutes  and  hours,”  Hein  says, 
because  the  tool  can  be  set  to  produce  well- 
formatted  reports. 

For  smaller  firms  or  those  with  less-cus¬ 
tomized  needs,  TriGeo  from  TriGeo  Network 


18  www.csoonline.com  October  2008 


Illustration  by  John  Weber 


Your  next 
attacker  will  be 
highly  motivated. 


Fortunately, 
so  are  we. 


If  it’s  worth  storing,  it’s  worth  stealing.  We  know 
because  we’re  SecureWorks,  and  nobody  is 
better  positioned  to  defend  your  network.  Our 
client-dedicated  security  analysts  work  round- 
the-clock  supported  by  the  industry-leading 
counter-threat  unit  and  state-of-the-art  threat 
correlation  platform  —  all  to  ensure  your 
company  and  your  reputation  remain  intact. 


SecureWorks 


www.secureworks.com 

©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


15  24  N  44  14  E 


>>  TOOLBOX 


Security  and  Symantec’s  Security  Informa¬ 
tion  Manager  aren’t  as  robust  as  ArcSight, 
but  they  are  simpler  to  use,  especially  for 
firms  without  particular  security  expertise. 

Another  practical  reason  for  using  log 
aggregators:  They  can  stop  smart  attacks. 
“If  you’ve  got  someone  coming  through  who 
knows  how  to  do  it,  an  attack  may  raise  a 
succession  of  yellow  flags,  but  no  red  ones,” 
says  Mike  Halperin,  vice  president  of  tech¬ 
nology  at  Akibia,  a  Westborough,  Mass., 
consultancy  specializing  in  data  centers. 


Expose  Your  Weaknesses 

The  CSO’s  version  of  introspection  involves 
searching  within  the  data  center  to  look 
for  weaknesses.  For  this  process,  consider 
vulnerability  assessment  and  management 
tools  like  eEye  Digital  Security’s  Retina 
vulnerability  scanner,  GFI  LANguard’s 
vulnerability  scanner  with  patch  manage¬ 
ment  and  security  auditing,  or  Qualys,  a 
relatively  simple  to  use  Web -based  tool  for 
companies  that  may  not  have  security  staff 
with  relevant  skills. 

County  Bank,  a  40-branch  bank  based 
in  Merced,  Calif.,  runs  an  AS/400  and  about 
40  PC  servers  and  uses  Qualys  to  conduct 
regular  scans  on  the  servers. 

“Having  a  tool  like  this  is  extremely 
important,”  says  Charlie  McClain,  informa¬ 
tion  security  officer  at  County  Bank.  “The 
vulnerability  picture  in  the  Windows  envi¬ 
ronment  changes  on  a  daily  basis.”  He  likes 
Qualys  because  it  keeps  up  with  those  vul¬ 
nerabilities,  meaning  he  does  not  have  to. 

In  addition  to  scanning  the  Windows 
servers  daily,  County  Bank  scans  its  AS/400 
once  a  month. 

Also  on  the  market  is  Nessus,  the  open- 
source  vulnerability  scanner  that  is  no  lon¬ 
ger  included  in  the  BaekTrack  CD  because 
of  kernel  compatibility  issues. 

It’s  important  to  scan  frequently.  “Scan 
every  24  hours,  looking  for  the  silly  human 
mistakes  people  make,”  says  Ken  van  Wyk, 
founder  and  principal  consultant  at  KRvW 
Associates,  an  Alexandria,  Va. -based  secu¬ 
rity  consultancy.  He  says  that  changes  in 


applications,  configurations,  servers  or 
the  network  can  accidentally  open  vul¬ 
nerabilities  as  a  side  effect  and  need  to  be 
spotted  early. 

CSI  Data  Center 

Vulnerability  scanners  are  perhaps  the  best- 
known  computer-forensics  tools.  Forensics 
tools  range  from  basic  log  scanners  to  very 
elaborate  programs  that  can  examine  the 
guts  of  your  system  at  a  deep  level.  The  skill 
and  technical  knowledge  needed  to  run 


these  tools  varies  greatly.  Serious  forensics 
analysis  is  a  job  for  experts,  but  just  about 
anybody  can  use  other  simpler  analysis 
tools,  although  interpretation  may  require 
special  knowledge.  Every  CSO  should  have 
at  least  some  basic  forensics  tools  to  use  in 
the  data  center. 

Perhaps  the  best  example  is  the 
BaekTrack  3  CD.  The  BaekTrack  3  CD 
(■ www.remote-exploit.org/backtrack.html ),  a 
live  CD  containing  a  collection  of  open- 
source  forensics  tools.  “One  thing  some¬ 
one  [who  is  handling  data  center  security] 
should  do  is  download  BaekTrack  3  CD, 
learn  how  to  use  it  and  learn  how  to  create 
visibility  into  their  network  environment,” 
says  John  Kindervag,  a  sen  ior  analyst  at  For¬ 
rester  Research. 

Plug  the  Leaks 

Software  that  monitors  the  data  that  leaves 
the  data  center  and  attempts  to  prevent 
the  inappropriate  export  of  sensitive  data 
is  called  data-leakage-protection  software. 
Other  names  for  this  fairly  new  area  are 
data  loss  prevention  (DLP),  information 
leak  detection  and  prevention  (ILDP), 
information  leak  prevention  (ILP),  content 
monitoring  and  filtering  (CMF)  or  extru¬ 
sion  prevention  system. 

Data-leakage  protection  uses  software 
that  monitors  what  goes  out  of  the  data  cen¬ 
ter  and  attempts  to  prevent  the  inappropri¬ 
ate  export  of  sensitive  data.  It  is  attracting 
a  lot  of  attention  as  companies  shift  focus 
from  strict  concentration  on  threats  coming 


in,  to  what’s  going  out  of  their  organizations. 
“Protecting  data  by  making  sure  it  doesn’t 
exit  the  company  inappropriately  is  the 
key,”  says  Quin,  adding  that  data  leakage 
protection  is  “outside  the  norm  as  it  stands 
now  but  certainly  something  that  has  a 
great  relevance  to  every  organization.” 

Most  of  the  companies  in  the  DLP  mar¬ 
ket  were  startups,  but  in  the  last  six  to 
nine  months  the  big  security  vendors  have 
snapped  up  many  of  the  independent  play¬ 
ers  in  the  space.  Symantec  now  has  Vontu, 
RSA  has  Tablus  (now  part  of  the  RSA  Data 
Loss  Prevention  Suite)  and  McAfee  has 
Reconnex,  he  notes.  “The  combination  of 
these  tools  backed  by  larger,  richer  and 
capable  organizations  puts  these  tools  and 
these  companies  in  a  leadership  position,” 
Quin  says. 

Other  considerations  are  the  size  of  the 
company  and  the  resources  you  have  to 
devote  to  security".  Quin  says  there  are  sev¬ 
eral  areas  where  the  most  capable  product 
isn’t  necessarily  the  best  one  for  small  and 
midsize  businesses;  in  every  case,  CSOs 
will  have  to  evaluate  functionality  versus 
constraints  such  as  price  and  manpower 
requirements 

You  Must  Comply 

Controlling  access  is  a  core  aspect  of  data¬ 
center  security  management.  Identity- man¬ 
agement  systems  that  can  be  set  to  control 
what  legitimate  users  can  access  are  now 
well-established,  with  tools  like  IBM’s 
Tivoli  ID  Manager  and  Access  Manager  and 
competing  products  from  Oracle,  BMC,  CA 
and  Novell. 

But  an  emerging  part  of  access  manage¬ 
ment  is  policy  compliance  management, 
which  uses  security  policies  to  control 
access  to  resources,  rather  than  looking  at 
individual  identities.  Symantec’s  BindView 
and  Elemental  Security’s  Elemental  Secu¬ 
rity"  Platform  are  examples. 

Remember  that  one  aspect  of  data-cen- 
ter  security  is  that  many  of  the  tools  have 
overlapping  functions  and  feature  sets. 
One  analyst’s  log  analysis  tool  is  another’s 
security  information  manager,  for  instance. 
That’s  likely  to  continue  as  vendors  try  to 
beef  up  their  product  lines.  ■ 


Rick  Cook  is  a  freelance  writer  based  in  Ari¬ 
zona.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


Remember  that  one  aspect  of  data-center 
security  is  that  many  of  the  tools  have 

overlapping  functions  and  feature 
sets. 


20  www.csoonline.com  October  2008 


Not  Sure?  Let  Reconnex  Help. 

Reconnex  is  positioned  in  the  Leader’s  Quadrant  of  Gartner,  Inc's 
Content  Monitoring  and  Filtering  and  Data  Loss  Prevention 
Magic  Quadrant1  and  named  a  leader  in  the  Forrester  Wave™: 
Data  Leak  Prevention  Q2  2008  Report.  Customers  appreciate 
our  unique  ability  to  help  them  understand  their  sensitive  data. 
Over  one  million  users  trust  us  to  protect  their  information  today. 


:::  Reconnex 


DATA  LOSS  PREVENTION  APPLIANCES 


WHY  RECONNEX? 

SIMPLE.  Automatic  Rule  Creation 
FAST.  Turnkey  Appliance  Solution 
COMPLETE.  Full  Functionality.  No  Compromises. 


TAKE  THE  FIRST  STEP. 

Get  a  complimentary*  Risk  Assessment  from  Reconnex. 
Find  out  more  at  www.reconnex.net/LEADER 

♦QUALIFICATIONS  APPLY. 


Ffom  Gartner.  Inc.  "Content  Monitoring  and  Filtering  and  Data  Loss  Prevention  Magic  Quadrant"  report  by  Eric  Ouellet  and  Paul  Proctor,  published  on  June  17. 2008.  The  Gartner  Magic  Quadrant  Is  copynghted  by  Gartner.  Inc.,  and  Is  reused  with  permission  Tlw  Magic  Quadrant  is  a  graphical  representation  el  a  marketplace  at  and 
tor  a  specillc  bme  period  It  depicts  Gartner's  analysis  ol  how  certain  vendors  measure  against  criteria  lor  that  marketplace,  as  defined  by  Gartner.  Gartner  does  not  endorse  any  vendor,  product  or  service  depicted  in  the  Magic  Quadiant.  and  does  not  advise  technology  users  to  select  only  those  vendors  placed  in  the  "Leaders' 
quadrant  The  Magic  Quadrant  Is  Intended  solely  as  a  research  tool,  and  is  not  meant  to  be  a  specific  guide  to  action.  Gartner  disclaims  all  warranties,  express  or  Implied,  with  respect  to  this  research.  Including  any  wartanbes  of  merchantability  or  Illness  for  a  particular  purpose 


'.*  *  '.**»•  ••»••*  *  ♦  *  *  *  »  *  »  .*  *  •  •*  *  **  *  *  •  * 


?***J*«, ! 

in 


$aH 


M&l 


•  .’;•  .:•  :••  ..••  .7  • ., 


sii»8i® 


g§tgtm 

° » .»***». 


ggg£@$&M 


•/ *«/*♦*/*.*/ *V/4 


;  *7;  7‘;  7  7;  7;  .7 

PS®9i 

.•  >,'.•  tiitisii 


itrit&ii 


» .  **  *  •« 

§@$|j| 


iMIi 

Sfeggg 


8^881^ 


COVER  STORY  |  FACILITIES 


It’s  the  stuff  of  CSO  nightmares.  Early 

on  the  morning  of  Sept.  2,  while  most  folks 
were  home  sleeping  off  the  hot  dogs,  thieves 
used  bolt  cutters  to  break  into  an  Alltel 
Communications  warehouse  and  four  of  its 
loading  docks  in  Fort  Smith,  Ark.  Sources 
say  they  escaped  with  an  estimated  $10  mil- 


lion  worth  of  cell  phones,  not  a  bad  haul  for 

their  Labor  Day  efforts. 

The  burglary  had  been  extensively 
planned.  Fort  Smith  police  said  the  thieves 
apparently  seized  the  opportunity  to  strike 
when  they  knew  the  warehouse  would  be 
closed  for  several  days  over  the  holiday 
weekend,  entering  through  a  hole  they 
cut  through  the  ceiling  of  the  warehouse. 
They  managed  to  disable  the  alarm  and 
surveillance  systems  before  helping  them¬ 
selves  to  four  tractor-trailers  loaded  with 
cell  phones. 

Unfortunately,  this  highly  detailed, 
finely  executed  attack  is  typical  of  today’s 
loading  dock  thefts,  according  to  Dan  Pur- 
tell,  president  of  the  supply  chain  security 
division  for  First  Advantage,  a  security 
services  firm  in  Poway,  Calif.  (Alltel  did  not 


Companies  in  all  industries  struggle  to 
secure  the  sensitive  spot  where  goods 
come  in  and  go  out.  Follow  these  best 
practices  and  sleep  better  tonight. 


Photos  by  Veer 


October  2008  www.csoonline.com  23 


COVER  STORY  |  FACILITIES 


respond  to  requests  for  an  interview.) 

“This  was  a  very  organized  group  that  did  a  lot  of  work  before 
they  hit  the  facility,”  says  Purtell.  “These  guys  spend  as  much 
time  as  they  need  to  do  the  research  necessary  to  pull  off  a  heist 
like  this.”  And  when  warehouses  and  loading  docks  get  hit  these 
days,  the  losses  tend  to  be  big. 

But  loading  dock  security  is  not  just  about  loss  prevention. 
Today,  many  companies  bolster  their  physical  security  measures 
for  the  loading  dock  and  elsewhere  in  order  to  comply  with  regu¬ 
lations  ranging  from  the  Customs -Trade  Partnership  Against  Ter¬ 
rorism  (C-TPAT)  to  the  Free  and  Secure  Trade  Program  (FAST) 
to  vertical  industry-specific  versions.  Many  of  these  regulations 
are  now  voluntary  and  are  designed  to  attract  companies  with 
the  promise  of  faster  trade  clearance  in  exchange  for  compliance. 
Progressive  companies  are  addressing  compliance  now,  so  that 
they  will  be  ready  if  the  regulations  ever  become  mandatory. 

In  the  meantime,  they  enjoy  the  perks  that  go  along  with 
compliance  while  also  reaping  the  benefits  of  enhanced  security. 
Securing  the  loading  dock  is  no  simple  undertaking,  however.  As 
with  most  things,  it  requires  a  mix  of  procedures,  training  and 
technology.  Experts  and  CSOs  in  the  trenches  recommend  that 
you  start  with  the  following  best  practices: 

Take  a  risk-based  approach.  Air  Products,  a  $10  billion 

gases  and  chemicals  company,  has  a  consistent  security  program 
across  its  operations  in  more  than  40  countries  globally.  But  some 
regions  are  unstable  enough  to  require  additional  security  mea¬ 
sures  layered  on  top  of  the  existing  program,  according  to  Marc 
Murphy,  global  supply  chain  security  lead  for  Air  Products,  in 
Allentown,  Pa.  “Our  approach  to  security  is  risk-based,  first  and 
foremost.  In  areas  where  we  have  concerns,  we  make  the  appro¬ 
priate  choices  for  security  there.”  According  to  Purtell,  high-risk 
areas  include  Brazil,  South  Africa,  Mexico,  the  U.K.,  Russia  and 
the  Netherlands. 

Beef  up  access  control.  Regulations  like  C-TPAT  that 

address  loading  dock  security  place  access  control  above  all. 
Badges,  gates,  cameras,  guards,  barriers,  bollards,  turnstiles, 
biometric  devices— Purtell  recommends  that  his  clients  employ 
several  of  these  at  the  least,  backed  up  by  well-documented  proce¬ 
dures  and  well-trained  personnel.  “High-risk  areas  should  have 
concentric  rings  of  security,”  he  says,  starting  with  access  badges, 
video  cameras  and  gates,  and  rising  to  biometric  devices  such  as 
fingerprint  readers  or  retina  scanners  for  the  most  insecure  areas 
or  where  the  potential  value  of  loss  is  high. 

Keep  the  overhead  doors  locked.  Under  the  heading 

of  access  control,  don’t  succumb  to  the  temptation  to  let  overhead 
loading  dock  doors  stay  open  during  business  hours,  advises 
Alan  Greggo,  associate  VP  of  loss  prevention  for  Luxottica  Retail, 
an  eyewear  retailer  based  in  Cincinnati.  “Access  to  the  key  that 
unlocks  those  doors  should  be  severely  limited,  perhaps  to  just 
one  supervisor.  When  those  people  go  on  break  and  lunch  they 
will  press  a  button,  the  camera  clicks  on  and  shows  who  the  per¬ 
son  is  and  then  lets  the  person  in,”  says  Greggo.  That  door  is  also 
wired  to  the  control  room.  As  much  as  employees  might  complain, 


Questions, 

Questions 

Shipping  and  receiving  are 
trickiest  in  multitenant 
facilities.  Here’s  a  tool 
for  assessing  risk  in 
such  a  scenario. 

Facilities  and  staffing: 

O  Are  shipping  (outbound)  and  receiving  (inbound) 
areas  physically  separated?  Are  appropri¬ 
ate  controls  applied  to  each  area? 

O  For  safety  (and  efficiency)  purposes,  is  the  platform 
height  aligned  with  typical  truck-bed  height? 

O  Is  this  height  adjustable? 

O  What  are  the  hours  of  operation,  and  does  the  facil¬ 
ity  provide  supervision  and  staff  at  all  times? 

O  Are  rest  areas  and  toilet  facilities  provided? 

O  Who  controls  access  to  these  areas? 

O  Do  the  doors  close  and  lock  automatically? 

O  Are  pedestrians  allowed  to  enter  the  dock  area? 

Delivery  vehicles  and  drivers: 

O  Are  all  vehicles  logged  in  and  out? 

O  Are  vehicles  inspected  before  entering  loading  docks? 
O  Are  keys  left  in  delivery  vehicles,  or  are 
the  keys  stored  in  a  secure  area? 

O  Who  is  permitted  to  move  vehides-drivers 


24  www.csoonline.com  October  2008 


isifit&fssi: 


mm 


only,  or  loading  dock  personnel  as  well? 

O  Are  all  operators  trained,  licensed  and  insured? 

O  Are  drivers  allowed  to  enter  the  building 
to  complete  deliveries? 

O  Are  drivers  required  to  wear  ID  badges  in  the  facility? 

O  Are  other  vehicles  (such  as  employees’  cars) 
permitted  to  park  in  these  areas? 

O  Are  the  movements  of  vehicle  drivers  and  delivery 
people  restricted  in  the  dock  area? 

Lighting: 

O  What  type  of  lighting  is  provided  for  the  dock  area? 

O  Are  all  exterior  doorways,  walkways,  entries 
and  elevator  lobbies  adequately  lit? 

O  Are  the  lights  in  operation  during  all  hours  of 
darkness,  and  is  a  timer  system  used? 

O  Is  the  lighting  system  regularly 
inspected,  and  if  so,  by  whom? 

O  Is  there  emergency  lighting  in  case  of  power  failure? 

Surveillance: 

O  Are  all  loading  dock  areas  covered  by  surveillance  cameras? 

O  Are  the  image  quality,  frame  rate  and 
video-storage  period  appropriate? 

O  Are  cameras  black-and-white  or  color,  digital  or  analog? 

O  Does  the  system  capture  and  store 
vehicle  license  plate  images? 

O  Are  outside  cameras  weatherproof? 

O  Are  cameras  adequately  secured? 

O  Is  surveillance  video  monitored  in  real 
time,  or  are  any  video  analytics  in  use? 

Adapted  from  “Call  Centers:  Risk  Assessment  Reminders” 

(CSOonline.com)  and  High-Rise  Security  and  Fire  Life  Safety,  2nd 

edition,  by  Geoff  Craighead  (Butterworth-Heinemann,  2003). 


the  key  is  to  not  leave  those  doors  open  so  people  go  in  and  out  at 
will.  “If  you  do  that,  you  lose  internal  and  external  control.  Some¬ 
times  people  want  the  ease  of  flow,  in  and  out,  but  from  a  security 
standpoint,  there  is  not  enough  control,”  he  says.  “Just  having  a 
rent-a-guard  there  does  not  give  enough  security.  You  have  to  find 
out  who’s  present  and  who  is  overseeing  what  is  being  taken  in 
and  out  of  the  facility.” 


“Just  having  a  rent-a- 
guard  there  does  not  give 
enough  security.” 

-ALAN  GREGGO,  ASSOCIATE  VP  OF 
LOSS  PREVENTION,  LUXOTTICA  RETAIL 

Secure  your  supply  chain.  It  is  human  nature  to  concen¬ 
trate  on  what  is  directly  in  front  of  you.  Many  companies  therefore 
work  hard  to  secure  the  loading  docks  at  their  own  facilities  but 
don’t  pay  much  attention  to  security  measures  used  by  their  sup¬ 
ply  chain  partners.  “People  lose  sight  of  cargo  when  it  leaves  their 
factory  and  it  goes  into  a  black  hole  called  the  supply  chain.  They 
pay  for  high  security  at  their  factories  and  contract  manufacturing 
locations,”  he  says.  “But  unless  they  put  requirements  into  their 
supply  chain,  they  won’t  like  the  way  it’s  treated  and  stored.  A  lot  of 
companies  turn  a  blind  eye  to  it  unless  they  have  huge  exposure.” 

FOCUS  Oil  trucks.  In  the  Alltel  robbery  mentioned  above,  the 
thieves  stole  trucks  locally  and  brought  them  to  the  warehouse 
to  load  up  with  loot.  In  this  instance,  the  warehouse  and  loading 
docks  were  the  locus  of  the  loss.  But  First  Advantage  data  col¬ 
lected  from  customers  indicates  that  85  percent  of  financial  loss 
now  occurs  at  the  trucking  stage,  as  opposed  to  warehousing.  “A 
few  years  ago,  warehousing  accounted  for  40  percent  of  losses, 
now  it’s  10  percent  or  12  percent,”  says  Purtell.  It  pays  to  concen¬ 
trate  more  on  the  truck  features  as  well  as  on  driver  training.  Driv¬ 
ers  should  be  restricted  to  a  waiting  room  and  bathroom,  he  adds, 
and  have  no  access  to  the  count  area.  “Drivers  should  be  restricted 
and  controlled  in  the  dock.  They  should  not  have  access  to  a  ship¬ 
ping/receiving  area.  That  driver  could  take  a  couple  of  boxes  from 
the  prestaged  cargo  area  in  the  next  bay  and  put  them  on  one  of 
their  palettes.  Or  make  plans  for  a  future  attack,”  says  Purtell. 

Get  the  timing  right.  Spartan  Stores,  a  chain  of  grocery 
stores  based  in  Grand  Rapids,  Mich.,  restricts  the  hours  during 
which  it  receives  truckloads.  “We  have  policies  on  what  time 
loads  can  come  in,”  says  Tim  Bartkowiak,  Spartan’s  director 
of  security  and  loss  prevention.  “We  don’t  want  them  there  too 
early,”  when  the  contents  might  be  more  vulnerable.  During  the 
appointed  hours,  a  vendor- receiver  checks  in  each  truckload  as 
it  arrives,  opening  the  doors  only  as  necessary  and  only  to  those 
with  express  clearance. 

Build  in  security  from  the  get-go.  As  a  large  enterprise, 


October  2008  www.csoonline.com  25 


COVER  STORY  I  FACILITIES 


Air  Products  has  manufacturing  operations,  warehouses  and  dis¬ 
tribution  centers  worldwide— building  new  facilities  is  just  part  of 
doing  business.  Along  with  the  rest  of  the  security  team,  Murphy 
has  learned  that  it  is  a  lot  easier  and  more  cost-effective  to  build 
in  loading  dock  security  from  a  facility’s  inception  as  opposed  to 
retrofitting  it  later.  “Our  operations  had  some  trouble  where  they 
would  build  a  facility,  get  it  up  and  running  and  then  realize  they 
didn’t  have  the  gates,  alarms  and  cameras.  Then  they  would  have 
to  go  back  and  install  them,”  he  says.  Now,  these  things  are  built 
into  the  design.  “Everything  is  already  in  place  and  ready  to  go 
for  when  they’re  needed,  even  if  that  is  sometime  down  the  road,” 
says  Murphy.  The  company’s  engineering  and  business  teams  are 
pleased  with  the  savings  they  realize  by  incorporating  these  secu¬ 
rity  measures  early  on,  he  reports. 

Make  sure  security  and  safety  work  together. 

Safety  is  paramount  in  the  chemical  industry,  which  has  collec¬ 
tively  spent  more  than  $3  billion  to  shore  up  security  at  its  facilities 
since  9/11.  Air  Products  maintains  an  excellent  safety  record.  “As 
an  engineering  and  manufacturing  company,  we  focus  on  safety. 
We  have  consistent  practices  and  training  that  we  use  world- 


“We’re  not  siloed.  We  work  across  the  board.  Our 

security  standards  reside  within  various  business 
areas  of  our  corporate  and  operations  groups.” 

-MARC  MURPHY,  GLOBAL  SUPPLY  CHAIN  SECURITY  LEAD,  AIR  PRODUCTS 


wide,”  says  Murphy.  Both  security  and  safety  operate  across  all 
businesses  and  organizations  at  the  corporate  level  with  clear 
senior  executive  support,  which  makes  it  sustain  consistency,  he 
adds.  (See  “Safety  Dance”  in  the  September  issue  of  CSO  for  an 
in-depth  look  at  the  intersection  of  security  and  safety.) 

Protect  against  other  types  of  potential  losses. 

Much  of  loading  dock  security  concerns  loss  prevention.  Much, 
but  not  all.  For  Geoff  Craighead,  who  specializes  in  high-rise 
building  security,  the  threat  of  workplace  violence  arising  from 
a  lapse  in  security  is  real.  “You  might  have  a  problem  with  a  for¬ 
mer  employee  or  a  domestic  partner  who  is  disgruntled,”  says 
Craighead,  VP  of  high-rise  and  real  estate  services  for  Securitas 
in  Los  Angeles.  “If  they  can  gain  access  to  a  tenant  floor  through 
the  loading  dock  area,  that  is  a  potential  problem.  It’s  not  only  a 
property  issue.  It’s  a  people  issue.”  This  type  of  threat,  unlike  loss 
of  goods  generally,  can  be  very  opportunistic.  “They’re  up  in  the 
building,  and  security  doesn’t  even  know  they’re  there.  Guards 
should  always  be  present  at  the  loading  dock  to  restrict  access  to 
the  building  when  the  doors  are  open,”  he  advises.  Anyone  enter¬ 
ing  should  have  a  legitimate  purpose  and  be  monitored  to  ensure 
that  he  or  she  goes  to  the  right  floor. 

Keep  an  eye  toward  compliance.  Along  with  the 

chemical  space,  the  food  industry  is  among  the  verticals  contend¬ 


ing  with  DHS  regulations,  including  those  concerning  mandated 
track  and  traceability  for  food  ingredients.  Contaminants  and 
tampering  could  be  introduced  at  the  loading  dock,  so  it’s  critical 
to  secure  the  area.  Though  these  programs  are  voluntary  at  pres¬ 
ent,  Bartkowiak  wants  to  be  ready  should  they  become  compul¬ 
sory.  “We’re  looking  at  being  able  to  maintain  traceability  in  an 
efficient  manner,”  he  says.  “I’ve  heard  some  companies  are  requir¬ 
ing  their  carriers  to  supply  documentation  for  recall,  traceability 
and  food  protection,  and  their  loads  now  have  to  be  sealed.”  While 
Bartkowiak  figures  out  what  steps  Spartan  needs  to  take  to  be 
prepared,  he  worries  about  the  additional  cost  of  these  measures. 
“We’re  waiting  to  see  how  that’s  going  to  come  down.” 

To  Murphy,  active  executive  support  and  sponsorship  from 
the  highest  levels  is  the  most  important  to  success.  At  Air  Prod¬ 
ucts,  that  means  security  and  operations  work  closely  together. 
“We’re  not  siloed.  We  work  across  the  board.  Our  security  stan¬ 
dards  reside  within  various  business  areas  of  our  corporate  and 
operations  groups.  That  has  been  very  beneficial  for  us,”  he  says. 
“The  security  team  also  runs  our  emergency  response  and  plays  a 
critical  role  in  the  crisis  management  function  for  the  corporation. 
We  have  a  24/7  security  operations  center.  That  really  allowed  us 
to  work  with  all  different  facets  of  the  business.”  ■ 


Lauren  Gibbons  Paul  is  a  freelance  writer  based  near  Boston.  Send feed¬ 
back  to  Editor  Derek  Slater  at  dslater@cxo.com. 


26  www.csoonline.com  October  2008 


I  protect  a  2  billion  dollar  retail  business 

I  believe  security  should  enable 
business  growth  not  limit  it. 

I  focus  on  what’s  important. 


I  innovate 


I  am  fearless 


f; 


When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail.  But  few  can  imagine 
what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move  your  business 
forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the  Fortune  500. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/kayak  The  Security  Division  of  emc 


Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  Identities  Enterprise  Data  and  Security  Information 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


Stephen  Flynn  has  been  quite 
vocal  in  his  criticisms  of  U.S. 
port  and  cargo  security.  Flynn, 
a  former  commanding  officer 
in  the  Coast  Guard  and  now  a 
senior  fellow  for  Counterterrorism  and 
National  Security  Studies  at  the  Council  on 
Foreign  Relations,  has  authored  numer¬ 
ous  books  and  papers  on  the  subject- 
including  2004’s  America  the  Vulnerable. 
Flynn  spoke  with  CSO  Senior  Editor  Joan 
Goodchild  about  Operation  Cargo  Safety 
and  other  initiatives. 

CSO:  In  a  2006  interview,  you  gave  the 
country  a  D+  grade  when  it  came  to  the  cur¬ 
rent  state  of  port  and  cargo  security.  And 
that  D+  was  up  from  an  F  a  few  years  prior. 
Where  do  we  stand  now  in  2008? 


Stephen  Flynn:  We  are  moving  probably 
to  a  C-  grade.  There  are  essentially  three 
challenges  in  the  area  of  port  security  and 
cargo  security.  The  first  is  that,  potentially, 
our  ports  can  be  used  as  a  conduit  to  bring 
destructive  things  into  the  country,  such 
as  a  dirty  bomb,  a  radiological  device  or, 
in  a  worst-case  scenario,  a  nuclear  bomb. 
So  the  first  set  of  challenges  is  to  figure  out 
how  to  find  the  needle  in  the  haystack  in 
the  tremendous  volume  of  cargo  and  in 
a  complex  environment  like  our  ports  if 
someone  wanted  to  smuggle  something  in. 

The  port  environment  itself  contains 
tremendous  critical  infrastructure  that  is 
essential  to  our  economy  and  puts  at  risk— 
particularly  in  communities  like  Seattle, 
where  you  have  a  lot  of  port  infrastruc¬ 
ture  close  to  where  people  live— things 


like  refineries,  power  generation  plants, 
transportation  hubs  and  bridges.  There 
is  a  lot  that  is  truly  critical.  A  lot  of  our 
population  was  built  around  ports,  and  a 
lot  of  the  infrastructure  is  essential  to  our 
way  of  life. 

The  area  where  the  government  has  the 
longest  way  to  go  is  in  creating  a  reaction 
where  we  basically  shut  things  down  to 
sort  things  out.  That  is,  the  need  to  see  that 
the  interval  of  the  transportation  system 
itself  beyond  the  port  environment  is  a 
critical  infrastructure. 

This  is  absolutely  indispensable  to  our 
environment— potentially  targeting  that 
system  [versus]  exploiting  it. 

We’ve  made  considerable  progress 
from  where  we  were  before.  We  have  a 
kind  of  framework  that’s  been  put  in  place 


28  www.csoonline.com  October  2008 


Stephen  Flynn,  a  noted  cPttic  — 
of  DHS’s  cargo  security  efforts, 
sees  slow  but  steady  steps 


rooiti  for  improvement 


CRITICAL  INFRASTRUCTURE 


since  9/11— from  the  pushing  of  borders 
out,  to  having  customs  agents  overseas, 
to  having  efforts  to  get  companies  to 
be  far  more  security- minded  than  they 
were  before  with  programs  like  C-TPAT 
[Customs-Trade  Partnership  Against 
Terrorism].  But  this  last  problem— the 
ability  to  recover  and  have  a  measured 
response— that’s  where  efforts  are  close  to 
failing  and  is  something  that  should  give 
all  of  us  considerable  pause. 

It’s  been  a  few  years  since  Operation  Cargo 
Safety  commenced.  With  regard  to  that 
effort,  have  we  learned  anything? 

The  results  have  not  been  widely  pub¬ 
lished  or  shared.  So  most  of  us  don’t 
know  what  we  learned  from  running 
those  pilots. 

Photo  by  Veer 


That  operation  goes  back  to  an  initia¬ 
tive  that  was  launched  after  9/11.  A  first 
shipment  from  the  Czech  Republic  was 
followed  through  to  the  United  States 
through  Vermont  and  New  Hampshire. 
The  results  of  that  first  effort  in  May  2002 
spawned  legislative  action. 

There  were  always  pieces  that  I 
thought  were  essential  to  that  early  work. 
One  was  to  get  people  to  understand  that 
what  we  were  really  trying  to  manage  was 
more  about  the  global  supply  chain  than  it 
was  about  our  borders.  Immediately  after 
9/11, 1  was  concerned  the  reflex  would  be 
to  stop  everything  and  check  it  at  our  bor¬ 
der  crossings.  We  did  that  for  a  little  while 
and  found  out  it  wasn’t  sustainable,  as 
everything  was  backed  up  at  borders  and 
in  ports.  Fundamentally,  there  is  a  much 


greater  understanding  that  things  arrive 
through  a  very  complex  cycle  known  as 
the  supply  chain.  But  people  needed  to 
understand  that  was  ultimately  the  prob¬ 
lem  we  were  dealing  with. 

The  second  piece  was  to  identify 
whether  there  were  new  tools  and  tech¬ 
nologies  that  would  give  us  better  trans¬ 
parency  for  the  combination  of  visibility 
and  accountability  of  what  was  moving 
through  the  system.  Were  there  tools  out 
there  that  could  be  applied?  My  interest 
was  driven  through  sensing  there  were 
tools  out  there,  but  also  that  there  was  a  lot 
that  would  be  oversold  as  a  silver  bullet. 

When  you  are  trying  to  sort  out  where  to 
go,  you  need  basic  data.  What’s  out  there 
that  sounds  reasonable,  and  what’s  out 

October  2008  www.csoonline.com  29 


CRITICAL  INFRASTRUCTURE 


“Customs  has  not  supported  third- 
party  validation.  Screening  of  cargo  is 
going  to  have  to  be  done  as  it  has  been  done 
in  the  aviation  sector,  with  private  efforts  to  do 
that.  The  government’s  job  will  have  to  be  to 
validate  the  validators.”  -Stephen  Flynn 


there  that  is  still  in  the  realm  of  sci¬ 
ence  fiction?  The  goal  there  was  largely 
educational.  The  real  partners  had  to  be 
nongovernment  players. 

I  wanted  to  make  sure  we  were  going  to 
be  very  open  about  what  the  results  were. 
The  problem  was,  there  was  the  opposite 
instinct,  rather  than  create  an  open  and 
inclusive  process.  First  responders  are 
always  going  to  be  private  players,  mem¬ 
bers  of  the  public.  But  the  program  ended 
up  being  managed  as  a  closed  government 
process.  The  results  were  sealed  off  and  not 
well-shared.  Most  folks  who  would  be  part 
of  the  solutions  have  been  mostly  kept  in 
the  dark. 

The  opportunity  for  commerce  is 
to  ask:  How  have  you  developed  tools 
to  ensure  you’ve  minimized  the  risk  of 
exploitation  of  critical  lifelines  by  an 
adversary?  That  is  not  going  to  be  an 
inherently  governmental  activity.  What  it 
is  at  its  heart  is  a  business-continuity  chal¬ 
lenge  for  the  intertransportation  system 
and  those  who  rely  on  it.  So  what  we  have 
is  a  problem  that  lies  in  the  private  sector’s 
lap.  They  have  to  be  at  heart  of  efforts  to 
safeguard  it. 

We  need  a  reorientation  away  from 
thinking  the  government  will  figure  out 
what  is  going  to  make  us  secure,  and  pass 
these  tablets  down  and  set  reasonable 
deadlines  and  check  in  once  in  a  while.  We 
need  to  go  in  the  direction  of  a  true  part¬ 
nership  that  largely  originates  with  those 
who  operate  the  business  and  is  validated 
by  government. 

How  do  we  accomplish  that? 

At  the  heart  of  challenge  is  a  global  set  of 
systems  where  some  portions  are  very 
concentrated— megaports,  for  instance. 

But  we  also  have,  when  we  go  back  to  the 
factories,  a  widely  dispersed  system.  So 
the  challenge,  from  a  single  company’s 
standpoint,  is,  I  can  control  what  happens 
on  my  real  estate.  But  then  I  get  into  the 
system  and  it  has  lot  of  anarchic  qualities, 
chaotic  qualities,  as  to  how  it  operates.  So 
it  quickly  gets  out  of  my  control.  What  we 
are  struggling  with,  on  one  hand:  People 
who  own  and  operate  [transportation 
infrastructure]  need  to  develop  tools.  But 
that  needs  to  be  done  on  as  close  to  a 
global  basis  as  possible.  The  public  sector 
is  going  to  be  part  of  kibitzing  on  how 


this  is  going  to  happen.  So  it’s  a  massive 
choreography  challenge.  It’s  often  less 
about  technology  than  it  is  choreography 
of  getting  all  participants,  public  and 
private,  into  the  plan  of  how  to  move 
forward. 

I  think  what  we  have  is  some  basic 
tools  that  get  us  in  the  direction  we  need 
to  go.  We’ve  begun  processes  like  C-TPAT. 
We’ve  set  a  framework  through  the  ASME 
[American  Society  of  Mechanical  Engi¬ 
neers]  code  of  common  sets  of  require¬ 
ments  of  things  that  need  to  happen  in 
facilities  and  on  vessels,  etc.  So  we  have  a 
skeleton  around  which  this  can  happen. 

What’s  been  missing  is  an  effort  to  vali¬ 
date  that  these  efforts  are  being  done.  This 
is  where  government  efforts  are  getting 
in  the  way.  Customs  has  not  supported 
third-party  validation.  Screening  of  cargo 
is  going  to  have  to  be  done  as  it  has  been 
done  in  the  aviation  sector,  with  private 
efforts  to  do  that.  The  government’s  job 
will  have  to  be  to  validate  the  validators. 

Where  do  you  think  companies  stand  now? 

There  are  certainly  a  lot  more  parts  of  the 
system  companies  can  control  than  there 


were  in  the  past.  A  lot  has  been  animated 
by  C-TPAT  protocol,  which  basically 
says  we  need  private-sector  companies 
to  take  greater  ownership.  A  lot  of  good 
companies  have  stepped  up  to  that  plate 
and  made  efforts  in  factories,  in  physical 
security  on  loading  docks.  There  clearly 
has  been  a  lot  of  activity  in  that  realm. 

The  biggest  challenge  in  maturing  our 
efforts  to  improve  supply  chain  security 
involves  things  that  lie  largely  outside 
the  scope  of  what  individual  companies 
can  do  and  what  government  officials 
can  do— even  one  as  powerful  as  the  U.S. 
government. 

This  is  because  global  logistics  oper¬ 
ate  in  what  is  essentially  a  transnational 
environment,  where  direct  contact  with 
government  authorities  is  limited  and 
where  the  capabilities— and  integrity— of 
those  government  authorities  are  very 
uneven.  What  is  required  is  that  the  secu¬ 
rity  regimes  operate  much  like  the  modem 
safety  and  quality  regimes,  where  there 
are  industrywide  efforts  (such  as  ISO) 
to  develop  standards  and  to  police  those 
standards  through  auditors  and  classifica¬ 
tion  societies  such  as  Bureau  Veritas  and 
the  American  Bureau  of  Shipping.  Then 
governments  play  essentially  a  spot- 
check  role. 

In  my  experience,  the  evolution  of 
container  security  has  been  constrained, 
and  not  because  there  is  active  resistance 
from  the  private  sector.  I  continue  to  find 
interest  and  concern  that  more  needs  to 
be  done  among  many  responsible 
companies.  The  problem  lies  with  the 
fact  that  the  development  of  the  regime 
continues  to  be  too  government-centric  in 
its  design  and  execution.  That  is,  Customs 
and  Border  Protection  has  largely  tried 
to  maintain  control  of  setting  the  global 
requirements,  and  it  has  been  reluctant  to 
accept  third-party  policing  mechanisms  to 
verify  those  standards  are  being  kept.  ■ 


30  www.csoonline.com  October  2008 


SECURITY 


TM 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Sscu 


S'ty 


’  rM 


>d'Ng 


y°  UR 


S*CUi 


U^^n9 


3V 


priva 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


.  atr°uble  abutaiert„ 

°>o ten  /,ave  to  n 


■  .r°r l'yCi°“r'l«*ZSQ‘-0B^ 

; 

/  ir.„.  ,  tHehrla..  varv,.„ 


""to  to 


0/0 

J7?e 


yoirt 


8sSJ&> 


eWev. 


Qtie??:°us 


■'’■"•I'.,,. 


Sliest 


'yr»t 


es'nth. 


'Vonal 


Us. 


'"'Me, 


«/dc( 


'4jf, 


r^.v,c 


aer>tify . 


■  Rfly 


n.  set/o 


aVisi‘°r*£°n^to 
^be 


"sST. --os,  - 


ofict 


k-i 


l«»e 


^•art 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CS0,  a  business  unit  of  CX0  Media.  ©  2007  CXO  Media  Inc. 


cso 


BUSINESS  RISK  LEADERSHIP 


LEGAL  ISSUES 


Will  your  company’s  evidence  stand 
up  in  court?  Two  experts  say  CISOs 
have  a  critical  role  to  play— not  just  in 
e-discovery  but  also  in  preservation 
and  presentation.  The  first  step  is 
understanding  how  judges  decide 
admissibility  of  electronic  evidence. 

By  Jacques  Francoeur  and  Steven  Teppler 


THE  DECEMBER  2006  amendments 
to  the  Federal  Rules  of  Civil  Procedure 
(FRCP)  created  new  information  gover¬ 
nance  risks  (and  heightened  existing  ones) 
as  they  relate  to  litigation  holds,  spoliation 
and  duties  to  preserve. 

You  can  find  a  comprehensive  review  of 
the  current  evidence  preservation  require¬ 
ments  in  an  online  article  by  Thomas  All- 
man  entitled  “Preservation  Obligations 
and  the  2006  E-Discovery  Amendments,” 
available  at  www.cgocouncil.com/resources/ 
Allman_PreservationObligations.pdf.  Our 
intent  is  not  to  rehash  those  requirements 
but  to  help  CISOs  understand  how  judges 
determine  whether  a  particular  piece  of 
electronic  evidence  will  be  admitted  in  a 
court  case.  Understanding  that  process 
will  help  CISOs  in  creating  an  information 
security  strategy  that  produces  evidence 
that  can  stand  up  in  court. 

From  the  perspective  of  information 
security,  the  risks  created  by  the  changes  in 
the  FRCP  simply  represent  another  organi¬ 
zational  risk  category  that  expands  the  set 
of  existing  risks  to  information.  These  legal 
and  litigation  risks  are  significant  and  must 
be  evaluated  in  a  fashion  similar  to  other 
information  risks.  They  will  require  their 
own  cost-benefit  analyses  and  should  lead 
to  a  decision  to  implement  a  set  of  controls 
intended  to  mitigate  the  risks  to  a  desired 
level.  In  many  cases,  the  controls  necessary 
to  mitigate  these  legal  risks  will  be  very 
similar  to  the  ones  already  in  place  for  deal¬ 
ing  with  other  information  risks. 

The  key  legal  risks  related  to  the  discov¬ 


ery  of  digital  evidence  include  spoliation 
(meaning  that  the  evidence  has  been  signifi¬ 
cantly  altered),  withholding  and  negligent 
destruction.  The  penalties  for  these  claims 
are  severe,  and  the  result  can  be  a  dismissal 
of  your  case,  adverse  judgments  or  jury 
instructions,  or  the  exclusion  of  your  criti¬ 
cal  evidence. 

Understanding  the  role  of  information 
security  and  the  chief  information  secu¬ 
rity  officer  (CISO)  in  the  admissibility  of 
electronically  stored  information  (ESI) 
requires  an  understanding  of  the  evidence 
strategies  of  counsel  for  the  plaintiff  and 
defendant,  as  well  as  the  logic  followed  by 
a  judge  in  determining  whether  evidence  is 
admissible  in  a  case.  Within  the  e-discovery 
process  of  identification,  collection,  preser¬ 
vation,  analysis  and  production  of  relevant 
ESI,  the  final  “presentation”  stage  is  critical 
to  the  admissibility  of  the  evidence.  This 
phase  determines  how  ESI  is  evaluated 
for  admissibility.  What  is  the  strategy  that 
should  be  taken  by  counsel?  How  can  the 
CISO  support  this  strategy?  And  what  will 
be  the  adversarial  strategy  of  the  opposing 
counsel?  As  the  plaintiff,  your  objective  is 
to  present  your  case  against  the  defendant. 
What  will  be  the  strategy  of  the  defendant? 
Your  organization  must  ensure  its  evidence 
is  admitted  in  support  of  your  claims.  The 
defendant  will  also  have  evidence  intended 
to  defeat  your  case;  you  must  also  seek  to 
have  that  evidence  excluded  or  discred¬ 
ited— just  as  the  defendant  will  seek  to  have 
your  organization’s  evidence  excluded  or 
discredited  to  weaken  your  case.  Accord¬ 


ingly,  you,  as  plaintiff,  will  need  to  ensure 
that  the  defendant’s  evidence  presented 
against  you  (in  an  attempt  to  refute  your 
claims  and  support  his)  is  not  admitted  or 
is  discredited. 

If  your  organization  is  the  defendant, 
the  same  concepts  apply.  You  must  ensure 
your  evidence  is  admitted  in  support  of  your 
objective,  to  refute  the  plaintiff’s  claims 
against  your  organization  and  defeat  his 
case.  You  must  also  seek  to  have  excluded  or 
discredited  the  plaintiff’s  evidence  offered 
in  making  his  case  against  your  organiza¬ 
tion.  The  plaintiff,  in  its  opposition  stance, 
will  seek  to  have  your  organization’s  evi¬ 
dence  excluded  or  discredited. 

In  these  efforts,  you  face  three  key  tac¬ 
tical  requirements.  The  most  fundamental 
requirement  is  to  ensure  that  your  orga¬ 
nization’s  electronic  evidence  is  admitted. 
The  second  requirement  is  to  refute  any 
claim  that  your  systems  (and  any  output 
generated  by  your  systems)  are  not  reliable, 
or  that  your  evidence  is  not  authentic.  The 
third  requirement  is  to  develop  a  strategy  to 
have  excluded  or  to  discredit  the  evidence 
submitted  against  your  organization.  An 
understanding  of  the  counsel  evidence 
strategy  is  just  one  side  of  the  admissibility 
equation.  The  second  side  is  how  the  judge 
will  respond  to  this  strategy.  What  is  the 
admissibility-decision  logic  of  the  judge? 

The  judge’s  admissibility-decision  logic 
is  guided  by  the  Federal  Rules  of  Evidence 
(FRE).  However,  these  rules  were  written 
in  the  era  of  the  nonelectronic,  paper-and- 
ink-as-physical-evidence  world,  when 


Illustration  by  CSA  Images/Veer 


October  2008  www.csoonline.com  33 


LEGAL  ISSUES 


paper  records  were  the  norm.  The  fol¬ 
lowing  Evidence  Admissibility  Decision 
Tree  chart  refers  to  the  FRE,  where  nec¬ 
essary,  for  outlining  the  decisional  logic 
used  in  determining  whether  ESI  should 
be  considered  admissible  in  general  and 
specifically  as  the  FRE  relates  to  informa¬ 
tion  security  issues. 

It  is  important  to  understand  that  ESI 
deemed  admissible  does  not  necessarily 
mean  it  will  be  admitted  into  evidence,  as 
other  determining  factors  (not  relevant 
to  this  discussion,  such  as  prejudice)  are 
involved  in  that  decision.  For  purposes 
of  this  analysis,  therefore,  the  FRE  will 
be  discussed  as  it  relates  to  the  interplay 
of  ESI,  with  the  admissibility-decisional 
logic,  and  dependencies  with  information 
technology  and  information  security. 

A  landmark  2007  court  decision  pro¬ 
vides  a  preliminary  guide  for  lawyers 
seeking  to  admit  ESI  in  evidence  at  trial. 
In  Lorraine  v.  Markel  American  Insur¬ 
ance  Company,  a  100-plus  page  opinion 
sets  forth  in  detail  the  burdens  and  pitfalls 
associated  with  ESI,  offering  a  rudimen¬ 
tary  approach/framework  for  authentica¬ 
tion  and  admissibility  of  digital  evidence. 
The  decision  states  that  the  FRE  sets  out  a 
“collection  of  evidence  rules  that  present 
themselves  like  a  series  of  hurdles  to  be 
cleared  by  the  proponent  of  the  evidence. 
Failure  to  clear  any  of  these  evidentiary 
hurdles  means  that  the  evidence  will  not 
be  admissible.” 

The  “series  of  hurdles”  are  referred  to 
as  evidence  rules.  These  rules  are  defined 
by  the  FRE  and  implemented  by  the  judge. 

Determining  the  admissibility  of  ESI 
may  generally  be  described  in  the  admis¬ 
sibility-decision  logic  tree  illustrated  in 
the  following  chart.  In  a  follow-on  article, 
we  will  look  at  the  specific  role  of  informa¬ 
tion  security  and  the  CISO  in  terms  of  a 
practical  framework.  But  understanding 
the  admissibility  decision  process,  and 
the  stages  of  that  process  that  directly 
affect  information  security,  is  a  critical 
first  step.  ■ 


JacquesR.Francoeur( francoeurj@saic.com) 
is  senior  director.  Identity  &  Information 
Assurance  at  SAIC  and  executive  director, 
The  CSO  Council,  Bay  Area.  Steven  Teppler 
fsteppler@kamberedelson.com)  is  senior 
counsel,  KamberEdelson  LLC  NYC. 


This  flowchart  demonstrates 
how  judges  decide 
whether  a  given  piece  of 
electronic  evidence  will 
be  admissible  in  court. 

The  full  text  of  the  Federal  Rules  of  Evidence 
(to  which  this  chart  and  write-up  refer)  are 
available  in  PDF  at  www.uscourts.gov/rules/ 
Evidence_Rules_2007.pdf. 

1.  Is  the  ESI  (electronically  stored  informa¬ 
tion)  relevant  as  defined  under  Rule  401? 

Does  the  ESI  make  a  material  fact  more  or  less 
probable  than  it  would  otherwise  be?  If  it  is 
not  deemed  relevant,  the  ESI  is  inadmissible. 
As  can  be  seen  from  the  diagram,  a  finding  of 
relevance  alone  does  not  ensure  admissibility. 

2.  The  next  determination  to  make  is 
whether  the  ESI  has  been  properly  authen¬ 
ticated  under  Rules  901  and  902.  Article  9 
provides  generally  that,  “The  requirement  of 
authentication  or  identification  as  a  condition 
precedent  to  admissibility  is  satisfied  by 
evidence  sufficient  to  support  a  finding  that 
the  matter  in  question  is  what  its  proponent 
claims.”  That  is,  can  a  party  seeking  to  intro¬ 
duce  evidence  demonstrate  to  the  court  that 
the  ESI  is  what  it  purports  to  be-at  the  time 
the  assertion  was  made?  If  that  demonstra¬ 
tion  cannot  be  made  to  the  court’s  satisfac¬ 
tion,  the  ESI  is  inadmissible.  If  so,  the  next 
analytical  hurdle  must  be  overcome.  If  it  can, 
you  must  pass  additional  hurdles. 

3.  The  third  determination  to  be  made  is 
whether  the  ESI  is  offered  for  its  substan¬ 
tive  truth  or  if  it  is  considered  hearsay  under 
Rules  801  and  802.  If  it  is  considered  hearsay, 
does  it  fall  under  an  exception  (Rules  803 
and  807)  that  would  allow  it  to  be  admissible? 
Hearsay  is  generally  not  admissible,  typically 
because  the  “declarant”  (a  person,  or  the  writ¬ 
ing  of  a  person,  or  record  of  an  organization) 
is  not  available  for  cross-examination  at  trial. 


Hearsay,  however,  may  be  deemed  admissible 
if  it  falls  under  one  of  the  following  exceptions 
and  conditions.  (See  numbers  4  and  5.) 

4.  The  first  hearsay  exception  involves  situa¬ 
tions  where  the  availability  of  the  declarant  is 
not  considered  material  under  Rule  803. 

a.  First,  does  the  evidence  qualify  as  a 
business-record  exception  under  Rule  803(6), 
which  covers  “records  of  regularly  conducted 
activity”?  If  an  ESI  hearsay  statement  does 
not  qualify  as  a  business-record  excep¬ 
tion,  then  the  ESI  may  fall  under  a  Rule  807 
Residual  exception-skip  to  number  5.  If  a 
business  record,  ESI  must  also  overcome  the 
following  additional  hurdle. 

b.  Was  the  business  record  made  at,  or 
near,  the  time  the  assertion  was  made?  If  no, 
the  ESI  may  fall  under  a  Rule  807  Residual 
exception-go  to  5.  If  yes,  it  needs  to  address 
the  following  additional  hurdle. 

c.  Does  the  source  (computer  or  person) 
of  information  indicate  a  lack  of  trustworthi¬ 
ness?  If  yes,  as  before,  the  ESI  may  fall  under 
a  Rule  807  Residual  exception-go  to  5.  If 
trustworthy,  it  needs  to  pass  the  following 
additional  hurdle. 

d.  Does  the  method  of  preparation 
indicate  a  lack  of  trustworthiness?  If  yes,  as 
before,  the  ESI  may  fall  under  a  Rule  807 
Residual  exception-go  to  5.  If  trustworthy, 
the  ESI  is  admissible. 

5.  The  second  hearsay  exception  is  the  case 
where  the  admissibility  of  the  ESI  falls  under 
the  Rule  807  Residual  exception. 

a.  The  first  hurdle  under  this  exception 
is  substantially  similar  to  the  hurdles  defined 
by  the  Rule  803  exception.  That  is,  does  the 
hearsay  (in  the  form  of  ESI)  have  equivalent 
circumstantial  guarantees  of  trustworthi¬ 
ness  as  defined  under  803  4b,  4c  and  4d?  If 
the  hearsay  was  made  near  or  at  the  time  of 
the  assertion  (yes  under  4b),  and  the  source 
of  the  information  does  not  indicate  a  lack 
of  trustworthiness  (no  under  4c),  and  the 


34  www.csoonline.com  October  2008 


method  of  preparation  also  does  not  indicate 
a  lack  of  trustworthiness  (no  under  4d),  then 
the  following  additional  hurdles  must  be 
passed.  However,  if  the  following  is  true  (if 
any  of  these  conditions  are  no  under  4b,  or 
yes  under  4c,  or  yes  under  4d),  then  the  ESI  is 
inadmissible. 

b.  The  second  hurdle  under  this  excep¬ 
tion  is  whether  the  statement  is  offered  as 
evidence  of  a  material  fact.  If  not,  the  ESI  is 
inadmissible.  However,  if  yes,  the  following 
additional  hurdle  must  be  overcome. 

c.  Does  the  probative  value  on  the  point 
for  which  the  ESI  is  offered  outweigh  the 
danger  of  unfair  prejudice  under  Rule  403? 
The  probative  value  is  weighed  against  the 
prejudicial  impact  of  all  evidence,  and  this 
consideration  takes  place-by  way  of  extrinsic 
analysis  taken  by  a  court-and  is  not  pertinent 
to  the  current  discussion.  That  said,  generally, 
if  the  answer  to  that  question  is  no,  the  ESI  is 
inadmissible.  However,  if  the  answer  is  yes, 
one  additional  hurdle  must  be  passed,  and  it 
must  be  shown  that  no  other  Rule  403  factor 
is  present  to  the  extent  that  it  would  require 
the  exclusion  of  relevant  evidence,  otherwise 
admissible  (including  ESI). 

d.  Will  the  general  purposes  of  the  Fed¬ 
eral  Rules  of  Evidence  (FRE)  and  the  interests 
of  justice  best  be  served  by  admission  of 
statement  into  evidence?  If  yes,  then  a  final 
additional  hurdle  must  be  passed.  If  no,  the 
ESI  is  inadmissible. 


NO 


No 


ESI  is  inadmissible. 


No 


Following  hearsay 
analysis  does  not  apply. 


4.  If  hearsay,  does  it  fall  under  Rule  803  exception? 


TBD 


Yes 


4b.  Was  it  made  at  or  near  the  time 
that  the  assertion  was  made? 


Yes 


Yes,  but.. 


4c.  Does  the  source  (computer  or  person)  of 
information  indicate  lack  of  trustworthiness? 


No,  but., 


I  Yes 


NO 


5.  If  hearsay,  it  may  be  admissible  under  807 
residual  exception  (all  other  hearsay). 


6.  Original  Writing  Rule  1000-1008 
(a.k.a.  “Best  Evidence  Rule”):  Subject 
to  certain  enumerated  exceptions 
not  pertinent  to  this  discussion,  the 
original  of  any  writing  or  recording 
is  required.  However,  a  duplicate  is 
admissible  to  the  same  extent  as  an 
original  unless  either:  (a)  a  genuine 
question  is  raised  as  to  the  authentic¬ 
ity  of  the  original,  or  (b)  it  would  be 
unfair  under  the  circumstances  to 
admit  the  duplicate. 


If  any  of  no  under 
4b,  or  yes  under  4c, 
or  yes  under  4d 


Yes 


5a.  Does  hearsay  have  equivalent  circumstantial 
guarantees  of  trustworthiness  as  under 
803  and  defined  in  4b,  4c  and  4d? 


No,  but.. 


5b.  Is  the  statement  offered  as 
evidence  of  a  material  fact? 


No,  but... 


5c.  Is  the  statement  more  probative  on  the  point  for 
which  it  is  offered  than  any  other  evidence  which  the 
proponent  can  procure  through  reasonable  efforts? 


If  yes  under 
4b,  and  no 
under  4c,  and 
no  under 4d 


ESI  is  inadmissible. 


*  No 


7.  is  the  probative  value  of  the  evidence 
substantially  outweighed  by  503  factors? 


Yes 


Figure  0  Jacques  Francoeur  and  Steven  Teppler 


October  2008  www.csoonline.com  35 


[  cso  view] 

by  Audry  Agle 


Infosecurity  Governance: 
Centralized  Versus  Distributed 

How  to  build  a  model  that  works  for  your  business 


The  management  of  information 
risk  has  become  a  significant 
topic  for  all  organizations,  small 
and  large  alike.  But  for  the  large, 
multidivisional  organization, 
there’s  an  additional  challenge:  determin¬ 
ing  how  to  deploy  an  information  security 
governance  program  among  what  are  often 
disparate  business  units.  Should  the  poli¬ 
cies,  procedures  and  processes  that  define 
the  program  be  developed  and  managed 
within  a  central,  corporate  body?  Or  per¬ 
haps  would  responsibility  be  better  placed 
at  the  individual  unit  level?  Is  there  a  work¬ 
able  middle  ground? 

If  alignment  across  business  units  is 
important,  a  centralized  model  would 
seem  the  proper  choice.  With  the  program 
directed  and  managed  within  a  central 
governance  body,  all  business  units  would 
be  forced  to  abide  by  the  same  unified 
vision  and  policy  set.  This  structure  gives 
executive  leadership  and  the  board  better 
oversight  as  there’s  only  one  place  to  go 
to  assess  the  posture  of  the  organization. 
Centralized  governance  is  generally  most 
efficient  since  resources  can  be  leveraged 
in  a  cost-effective  manner  across  the  orga¬ 
nization,  thereby  limiting  duplication  of 
effort  and  better  utilizing  talent  and  tools. 
This  model  also  offers  some  sustainability 
in  that  shareholders  can  be  assured  that  the 
profitability  of  an  individual  unit  isn’t  likely 
to  compromise  the  quality  of  the  program. 
Finally,  should  an  incident  occur,  it  can  be 
handled  in  a  uniform  manner  with  full  cor¬ 
porate  oversight. 

However,  there  are  issues  with  the 
centralized  approach  that  can  better  be 
addressed  with  a  distributed  model,  in 
which  each  business  unit  is  responsible 
for  its  own  infosec  program.  As  they  will 


develop  their  own  policies  and  standards, 
they  are  far  more  likely  to  embrace  the  pro¬ 
gram,  assign  the  necessary  resources  to  it, 
and  fully  implement  it.  Rather  than  having 
a  generic  set  of  policies  that  apply  across  the 
organization,  this  model  has  the  advantage 
of  producing  policies  that  are  aligned  with 
each  unit’s  specific  business  model.  Further, 
the  business  unit  can  act  autonomously  and 
thus,  theoretically,  more  efficiently  when 
policy  changes  or  incident  investigations 
are  necessary. 

We  are  all  familiar  with  the  account¬ 
ability  issues  that  arose  during  the  Enron 
situation.  As  a  result,  today’s  sharehold¬ 
ers  demand  that  corporate  leadership  be 
well-versed  in  the  conduct  of  the  organiza¬ 
tions  they  lead.  Immediately  following  a 


significant  information  security  incident, 
these  leaders  will  likely  be  called  on  for 
details.  In  order  to  address  this  issue  while 
leveraging  the  benefits  of  business-unit 
autonomy,  many  organizations  are  adopt¬ 
ing  a  hybrid  approach.  The  best  of  both 
models  is  achieved  by  providing  for  a  cen¬ 
tral  governance  body  focused  on  program 
results,  while  the  business  unit  has  con¬ 
trol  over  the  methods.  These  groups  work 
together  to  achieve  the  overall  program 
objectives.  The  following  describes  a  way 
to  establish  a  hybrid  program  with  shared 
responsibilities. 

l.  Develop  baseline  policies  and  stan¬ 
dards.  In  order  to  assure  consistency, 
many  organizations  centralize  this  process. 


36  www.csoonline.com  October  2008 


Photo  by  Veer 


Business  units,  however,  should  have  sig¬ 
nificant  input  into  the  development  of  these 
materials,  as  acceptance  will  be  critical 
to  adoption.  By  defining  consistent  base¬ 
line  requirements  across  the  organization, 
leadership  can  understand  the  framework 
of  the  program.  The  unit  is  then  encour¬ 
aged  to  develop  its  own  business-specific 
set,  which  augments  the  corporate  baseline 
and  addresses  any  unique  needs  the  par¬ 
ticular  unit  may  have. 

2.  Assess  gaps.  This  may  be  performed  by 
internal  security  and  audit  resources,  exter¬ 
nal  vendors  or  consulting  agencies.  Cen¬ 
tralizing  this  function  will  help  ensure  an 
objective  picture  of  each  unit’s  conformance 
to  baseline  policy. 

3.  Plan  and  implement  risk  controls. 

Development  of  mitigation  strategies  is 
often  best  performed  at  the  unit  level,  where 
processes  are  understood  most  intimately 
and  changes  can  be  implemented  more  effi¬ 
ciently.  The  central  governance  body  may 
be  able  to  offer  objective  ideas  for  controls 
that  have  not  been  considered,  but  it  should 
not  dictate  how  the  unit  will  achieve  policy 
compliance. 

4.  Manage  and  monitor  ongoing  mea¬ 
surement.  Managing  the  controls  once 
they’re  implemented  is  generally  a  unit- 
level  function;  however,  monitoring  and 
measuring  the  effectiveness  of  the  controls 
should  be  shared.  While  the  business  unit 
will  likely  want  to  monitor  the  results,  the 
central  governance  group  will  need  insight 
as  well.  Reliable,  objective  metrics  will  be 
required  to  assure  senior  leadership  that 
the  program  is  effective.  To  ensure  unbi¬ 
ased  reporting,  unit  personnel  should  have 
a  reporting  relationship  to  the  central  gov¬ 
ernance  body. 

Companies  with  similar  products  and 
customers  across  units  will  likely  have  a 
strong  need  for  uniformity  and  will  natu¬ 
rally  adjust  their  model  toward  more  cen¬ 
tralization.  Conversely,  those  with  diverse 
business  models  and  dissimilar  customers 
are  likely  to  have  very  different  security 
requirements  and  thus  may  lean  toward  a 
more  distributed  model  by  shifting  more 
responsibility  to  the  unit  level. 

No  matter  which  model  your  organiza¬ 
tion  chooses  to  adopt,  senior  leadership  and 


The  responsible 
infosec  group 

can  be  successful 
in  its  initiatives  only 
if  constituents  are 
held  accountable  for 
compliance  with  the 
program. 

-AUDRY AGLE 


the  board  of  directors  must  stay  involved. 
Management  must  clearly  communicate 
that  it  values  and  embraces  the  infosec 
program  to  motivate  the  same  response 
among  staff.  The  responsible  infosec  group, 
whether  at  the  corporate  level  or  the  unit 
level,  can  be  successful  in  its  initiatives 
only  if  constituents  are  held  accountable  for 
compliance  with  the  program.  Policy  vio¬ 
lations  should  be  taken  very  seriously  and 
must  have  repercussions.  Further,  the 
organization  must  be  willing  to  be  flexible 
and  adjust  the  program  based  on  feedback 
and  results.  Solid  information  security 
programs  don’t  just  happen;  organiza¬ 
tions  must  take  a  well-considered,  collab¬ 
orative  approach  when  deciding  which 
model  is  best  in  meeting  their  business 
objectives.  ■ 


Audry  Agle  is  vice  president  of  information 
security  for  The  First  American  Corporation. 
In  her  current  role  she  is  responsible  for  assist¬ 
ing  in  the  development  and  maintenance  of  the 
corporation’s  information  security  program. 

October  2008  www.csoonline.com  37 


LEGAL  NOTICE 

U.S.  POSTAL  SERVICE 
STATEMENT  OF  OWNERSHIP, 

MANAGEMENT  and  CIRCULATION 
(Required  by  39  U.S.C.  3685) 

1.  Title  of  Publication:  CS0 

2.  Publication  No.:021-412 

3.  Date  of  filing:  September  19, 2008 

4.  Frequency  of  issue:  10  issues  yearly  with 
a  combo  Dec/Jan  and  Jul/Aug 

5.  Number  of  issues  published  annually:  10 

6.  Annual  subscription  price:  $70.00 

7.  Location  of  known  office  of  publication:  492  Old 
Connecticut  Path,  P0  Box  9208,  Framingham, 

MA  01701-9208  (Middlesex-Central  County). 

8.  Location  of  the  headquarters  of  general  business 
offices  of  the  publishers: 

CX0  Media,  492  Old  Connecticut  Path, 

P0  Box  9208,  Framingham,  MA  01701- 
9208  (Middlesex-Central  County). 

9.  Names  and  addresses  of  the  publisher,  editor  and 
managing  editor: 

Publisher,  Bob  Bragdon,  492  Old  Connecticut  Path, 
Framingham,  MA  01701-9208. 

Editor-in-Chief,  Derek  Slater,  492  Old  Connecticut 
Path,  Framingham,  MA  01701-9208. 

Managing  Editor,  Bill  Brenner,  492  Old  Connecticut 
Path,  Framingham,  MA  01701-9208 

10.  Owner:  International  Data  Group,  1  Exeter 
Plaza,  Boston,  MA  02116-2851. 

11.  Known  bondholders,  mortgages  and  other 
security  holders  owning  or  holding  1%  or 
more  of  total  amount  of  bonds,  mortgages  or 
other  securities:  International  Data  Group,  1 
Exeter  Plaza,  Boston,  MA  02116-2851.  None 

12.  For  completion  by  nonprofit  organizations 
authorized  to  mail  at  special  rates:  Not  applicable. 

13.  Publication  Name:  CS0 

14.  Issue  date  for  circulation  data 
below:  September  01, 2008. 

15.  Extent  and  nature  of  circulation: 


Average  No. 

No.  Copies  of 

Copies  Each 

Single  Issue 

Issue  during 

Published 

Preceding 

Nearest  to 

12  Months 

Filing  Date 

A.  Total  number  of  copies 
printed  (net.  press  run) 

B.  Legitimate  paid  and/or 
requested  distribution  (by 
mail  and  outside  the  mail) 

30,734 

30,973 

1.  Outside  county  Paid/ 
Requested  mail 
subscriptions  stated 
on  PS  Form  3541 

29,784 

29,213 

2.  In-county  paid/requested 
mail  subscriptions 
stated  on  PS  3541 

0 

0 

3.  Sales  through  dealers  and 
carriers,  street  vendors, 
counter  sales,  and  other 
non-USPS  paid  distribution 

178 

150 

4.  Requested  copies 
distributed  by  other  mail 
classes  through  the  USPS 

0 

0 

C.  Total  paid  and/or 
requested  circulation 

D.  Nonrequested 
distribution  (by  mail 
and  outside  the  mail) 

29,962 

29,363 

1.  Outside  county 
nonrequested  copies 
stated  on  form  3541 

0 

0 

2.  In-county  nonrequested 
copies  stated  on 
form  PS  3541 

0 

0 

3.  Nonrequested  copies 
distributed  through 
the  USPS  by  other 
classes  of  mail 

0 

0 

4.  Nonrequested 
copies  distributed 
outside  the  mail 

778 

1596 

E.  Total  nonrequested 
distribution  (Sum  of 

15d  (1),  (2),  and  (3)) 

0 

0 

F.  Total  distribution  (Sum 
of  15c  and  15e) 

29,962 

29,363 

G.  Copies  not  distributed 

778 

1596 

H.  Total  (Sum  of  15f  and  15g) 

30,740 

30,959 

1.  Percent  paid  and/or 

100% 

100% 

I  certify  that  the  statements  made  by  me 
above  are  correct  and  complete. 

yVTJtyaJ.  .  0  0  t. 

Michelle  Fuller 
Distribution  Manager 


[  INDUSTRY  VIEW] 

Brian  Foster 


New  Ways  to  Approach 
Security  in  a  Web  2.0  World 

Web  2.0  technologies  have  ushered  in  a  new  age  of  security  threats. 
Symantec’s  Brian  Foster  explains  what  you  need  to  do  about  it. 


Business  isn’t  what  it  used  to  be. 

Connectivity  is  driving 
increased  mobility,  online 
interaction  and  collaboration. 
Communication  is  the  founda¬ 
tion  of  business.  Employees  are  scattered, 
and  they  use  multiple  devices  and  appli¬ 
cations  at  multiple  locations.  Collabora¬ 
tion  is  enabling  new  levels  of  productivity, 
blurring  the  lines  between  end  users  and 
enterprises.  Transactions,  and  the  sensi¬ 
tive  information  they  include,  are  moving 
online.  In  this  new  Web  2.0  world,  people 
are  the  perimeter. 

Unfortunately,  hackers  and  cyber¬ 
criminals  are  keeping  pace  in  this  new 
domain.  Today’s  attackers  are  increas¬ 
ingly  sophisticated  and  organized.  In  fact, 
they  have  begun  to  adopt  methods  similar 
to  traditional  software  development  and 
business  practices.  As  security  measures 
are  developed  and  implemented  to  pro¬ 
tect  computers  and  the  data  stored  on 
and  transmitted  over  them,  attackers  are 
adapting  new  techniques  and  strategies 
to  circumvent  them.  And,  as  attack  activ¬ 
ity  has  become  more  profit-driven,  many 
aspects  of  it  have  become  professionalized 
and  commercialized.  In  many  ways,  today’s 
attacker  tools  are  a  reflection  of  a  burgeon¬ 
ing  underground  economy  that  requires 
specialized  tools  to  meet  the  demands  of  a 
highly  lucrative  industry. 

Worse  yet,  outsider  threats  are  only  part 
of  the  problem.  Enterprises  are  also  vulner¬ 
able  to  threats  from  within  the  organization, 
whether  from  a  disgruntled  employee  who 
steals  sensitive  customer  information  or 
a  distracted  contractor  who  misplaces  a 
laptop  filled  with  confidential  but  unen¬ 
crypted  data. 

Clearly,  in  such  an  interconnected 


business  world,  yesterday’s  approach  to 
security  is  no  longer  effective.  Just  as  new 
ways  of  doing  business  were  ushered  in 
with  Web  2.0,  next-generation  security 
practices  must  be  adopted  to  ensure  a  more 
enlightened  era  of  enterprise  security.  Call 
it  Security  2.0:  an  evolution  in  security  that 
focuses  not  simply  on  protecting  systems 
and  keeping  hackers  out  but  also  on  secur¬ 
ing  information  and  interactions.  It  takes  a 
more  dynamic  view  of 
security,  with  technolo¬ 
gies  and  processes  that 
adapt  to  the  reputation 
or  behavior  of  devices, 
people  and  applications. 

Policy  drives  Security 
2.0,  technology  enables 
it  and  operations 
strengthen  it. 

A  security  policy 
must  help  organizations 
manage  and  control  both 
inbound  and  outbound  content  to  protect 
them  from  the  inadvertent  or  intentional 
distribution  of  or  access  to  confidential  and 
sensitive  information.  To  that  end,  a  variety 
of  solutions  are  available  to  enable  organi¬ 
zations  to  know  where  their  information  is, 
establish  policies  for  accessing  it,  filter  sen¬ 
sitive  content  in  electronic  messages,  and 
manage  and  control  database  exposure  risk. 
Together  with  employee  security  training 
and  awareness,  these  solutions  can  protect 
against  data  loss. 

The  growing  sophistication  of  today’s 
attacks  calls  for  more  scalable  security. 
Enterprises  now  need  proactive  security 
measures  that  can  adapt  to  protect  against 
the  most  proximate  and  pressing  risks  their 
organizations  face.  For  example,  while  tra¬ 
ditional  antivirus,  antispyware  and  other 


signature-based  protection  measures— 
which  are  primarily  reactive— may  have 
been  sufficient  to  protect  an  organization’s 
vital  resources  a  few  years  ago,  they  need  to 
be  combined  with  more  proactive  behavior- 
based  technologies  in  the  Web  2.0  world. 

A  more  effective  security  approach 
addresses  a  range  of  considerations,  from 
the  level  of  risk  associated  with  a  threat 
to  the  information  requiring  protection 
and  the  reputation  of 
those  who  attempt  to 
access  the  organiza¬ 
tion’s  systems  and 
information.  In  a  Secu¬ 
rity  2.0  environment, 
proactive  technologies 
automatically  analyze 
application  behaviors 
and  network  commu¬ 
nications  to  detect  and 
block  suspicious  activi¬ 
ties,  while  device  and 
application  control  features  allow  admin¬ 
istrators  to  deny  specific  device  and  appli¬ 
cation  activities  deemed  high  risk.  These 
next-generation  technologies  can  even 
block  specific  actions  based  on  the  location 
of  the  user. 

Perhaps  one  of  the  most  significant 
changes  that  Security  2.0  calls  for  is  the  need 
to  turn  security  into  a  standard  business 
process.  Although  the  traditional  approach 
to  enterprise  security  has  involved  individ¬ 
ual  groups  with  an  organization  working 
in  silos,  a  next-generation  security  strat¬ 
egy  combines  standard  security  with  data 
management,  thereby  embedding  security 
throughout  the  business  processes.  ■ 


Brian  Foster  is  vice  president,  product  manage¬ 
ment  at  Symantec. 


38  www.csoonline.com  October  2008 


i 


Underwriters 


Microsoft 


Platinum  Sponsors 

H  Management 
&Technology 
Consultants 


ORACLE 

IDENTITY  MANAGEMENT 


Gold  Sponsors 

covisint  gemalto*  ^omada 

a  subsidiary  of  Compuware  Corporation  SGCUfity  to  b©  fr©6 


Novell. 

®SailPoint 

IDENTITY  RISK  MANAGEMENT 


Silver  Sponsors 


Eftaep  a 


yATiER 


NetVision  / Op 

Identity  Management  Security  /  / 


timai 
IdM 


Aveksa 


RADIANT  LOGIC,  Inc. 


Cyber-®  rk* 

^Sun 

microsystems 


|s=r  identityForge 

Symplified 

Identity  On  Demand 


&  Likewise' 

SBSTricerion 


Partner 
Linked  [fl. 


Save  the  Date  for  Digital  ID  World  2009, 
Las  Vegas,  October  14-16, 2009 

cso 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 


Cleanup  in  Aisle  5 


1.  Which  of  the 
following  weapons  did 
a  Swedish  man  use  to 
rob  a  grocery  store? 

a.  A  large,  heavy  salami 

b.  A  toy  gun 

c.  An  ax 

d.  A  ski  pole 

2.  Where  did  police 
find  13,000  boxes  of 
Nilla  Wafers  and  Ritz 
Crackers  stolen  off 
trucks  in  Georgia  that 
were  shipping  them 
to  grocery  stores? 

a.  In  grocery  stores  in  Michigan, 
where  they’d  been  sold  through 
a  middleman 

b.  In  a  home  in  Florida,  where  the 
thief  had  taken  them  and  was 
selling  them  on  eBay 

c.  At  an  aviary  in  Virginia,  where 
they  were  being  used  to  feed 
the  birds 

d.  In  a  storage  facility  in  Georgia, 
where  authorities  also  found 
thousands  of  boxes  of  Oreos 
and  Vienna  Fingers 

3.  How  did  a  New 
Hampshire  couple 
allegedly  attempt 
to  steal  $17  worth 
of  steak,  hamburger 
and  crabmeat? 

a.  By  switching  labels  so  that 
when  the  items  were  scanned, 
they  registered  as  3  pounds  of 
bananas  for  $4.99 

b.  By  putting  the  meat  in  emptied- 
out  cereal  boxes  and  having 
those  boxes  scanned  instead 

c.  By  stealing  a  child’s  backpack 
from  the  store,  filling  it  with 
the  meat  and  seafood,  and 
putting  the  backpack  on  their 


6-year-old 

d.  By  “crotching  it”— a  term  used 
for  the  technique  of  hiding 
something  down  one’s  pants, 
between  one’s  legs 

4.  Which  of  the  following 
is  the  correct  use  of  the 
term  “bob  shrink"? 

a.  “The  thief  first  tried  to  duck 
back  to  aisle  four,  then  he 
attempted  to  bob  shrink 
through  aisle  five." 

b.  “The  cashier’s  bob  shrink  prob¬ 
lem  is  unsanitary  and  could 
lead  to  her  dismissal.” 

c.  “If  we  could  just  improve  on 
our  bob  shrink,  we’d  be  making 
more  money  per  customer.” 

5.  Rank  the  grocery 
item  by  its  likelihood 
of  getting  shoplifted, 
from  most  likely 

to  least  likely: 

Pack  of  hamburger 
Carton  of  milk 
Some  melons 
Stick  of  deodorant 


Some  bagels 
Jar  of  popcorn 

6.  According  to  a 
2006  Food  Marketing 
Institute  survey,  what 
percentage  of  grocery 
store  shrink  is  caused  by 
employee  shoplifting? 

a.  Less  than  20  percent 

b.  40  percent 

c.  50  percent 

d.  More  than  60  percent 

7.  What  percentage  of 
companies  reported 
offering  loss- 
prevention  training  to 


employees  below  the 
level  of  manager? 

a.  Less  than  20  percent 

b.  40  percent 

c.  50  percent 

d.  More  than  60  percent 

8.  According  to  a  Time 
magazine  article,  what 
was  the  salary  paid 

to  Cincinnati’s  former 
police  chief,  Stanley 
Schrotel,  to  become 
head  of  security  for 
1,458  Kroger  stores 
in  24  states  in  1966? 

a.  $99,000 

b.  $53,000 
C.  $31,200 

d.  $25,000 

9.  What  would  a 
well-paid  grocery 
store  security  guard 
make  today? 

a.  $99,000 

b.  $53,000 
C.  $31,200 
d.  $25,000 

Bonus  Question:  What 
did  a  shoplifter  at 
a  grocery  store  in 
Germany  leave  with  a 
clerk  as  he  exited  with 
his  stolen  goods? 


‘P3SS3JU03  31)  pUE  llljl)  UO  p3||E3  SJ33jJJ0  *SS3jppE  SjL) 
pdpnpu)  pue  tt*"U3|0JS  JSnfdAJ  ‘33)|Od  3ip  ||ED„  ‘PE3J  JEqj3}0U  E  }J3|  3H  :U0j)S3n{) 
snuoa  3*6  p*8  e  •£  q*9  >miu‘uj03dod‘)UEJopo3p‘j3§jnquJEq‘s|32eq‘suo|3iAl 
*S  )3>)SEq  3qj  JO  LUOJJOq  sqj  JE  (A||EUOpU3JU;  JO  A||EJU3pp3E)  pOSSjlU  S3U330JS 
pjEdun  oj  3np  sso|  s)  ..biuuqs  ja>|seq  jo  uiojjoq,,  jo  1(‘>|U!qs  qoa„  *3  ’V  >pEd>pEq 
aqj  u)  poojebs  pus  }E3ui  aqj  jo  jq3)3/w  sqj  J3pun  jsao  ||ej  pio-jebA-9  aqj  mes  Aaqj 
udqMjjop3dd!jA|p3jJod3J3J3Af\|duuosjddAjun33S'3*£  e  *z  3*1  SU3MSNV 


How’d 
You  Do? 


0-3  Correct:  Return  to  Sender 
4-7  Correct:  Standard  Postage 
8-10  Correct:  Priority  Mail! 


40  www.csoonline.com  October  2008 


Illustration  by  Stephen  Webster 


hat  would  you  pay 
for  this  USB  stick? 


Some  would  pay 

BILLIONS 


Everyday  you  read  about  some  company’s  intellectual  property  stored  on  a  portable  storage  device 
that  is  either  lost  or  stolen.  With  Lumension’s  Data  Protection  Solution  you  know  who  is  accessing  your 
company’s  data  and  with  what  devices.  Don’t  wait  to  find  out  how  much  someone  would  pay  for  your 
information.  Get  Proactive.  Get  Lumension. 

Learn  more  about  data  protection  misconceptions  and  how  Lumension  Security’s 
Data  Protection  Solution  can  protect  your  data  by  downloading  the  whitepaper  at 
www.lumension.com/security-tip-22  or  for  a  FREE  30  DAY  TRIAL  call  us  at  1.888.970.1025 


Vulnerability  Management  /  Endpoint  Security  /  Data  Protection  /  Compliance 


rg-i  Lumension 


SECURITY.. 


15880  N.  Greenway-Hayden  Loop,  Suite  100  /  Scottsdale,  AZ  85260  /  1 .888.970.1025  /  www.lumension.com 
©  Copyright  2008,  Lumension  Security™,  Inc.  All  Rights  Reserved. 


©  2008  Websense,  Inc.  All  Rights  Reserved. 


The  answer  is  yes,  yes,  yes  —  and  yes.  Because  when  Websense  Web,  data  and 
messaging  security  solutions  protect  your  essential  information,  you’re  free  to 
embrace  a  whole  new  world  of  business  opportunities. 


Yes! 

L  A 


websense 


So  go  ahead.  Just  say  yes.  Find  out  how  at  websense.com. 


ESSENTIAL  INFORMATION  PROTECTION 


